Ruediger Meier wrote:
On Thursday 01 August 2013, Ludwig Nussel wrote:
I'm actually more worried about /etc/ssl/certs. Ideally it should be replaced by a read only bind mount to /var/lib/ca-certificates/pem but I fear that admins put certs there (that are now completely ignored).
Please not another bind mount. If I as an admin want to try something out quick and dirty I really hate such artificial restrictions to protect me against my own stupidity.
quick and dirty would still work if you put the files into /var/lib/ca-certificates/pem instead of /etc/ssl/certs.
Couldn't we avoid that update-ca-certificates wipes out /etc/ssl/certs completely. Would it work to use a subdir and to not touch admin's files?
I think /etc/ssl/certs has to be kept filled with certificates for compatibility for a while. So we have to fill it somehow. Right now that happens by putting hundreds of symlinks to individual certs into /etc/ssl/certs. IMO it would be better to not mess with /etc all the time, so making either /etc/ssl/certs itself a symlink or making it a bind mount would be options. Replacing directories with symlinks is not exactly something rpm likes though ... cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org