Public key infrastructure

Peter Rockai prockai at redhat.com
Thu Jul 27 12:48:42 UTC 2006 

On Thu, Jul 27, 2006 at 02:33:34PM +0200, Joachim Selke wrote:
> Yes, it is intentional, but I forgot to mention the change.
[snip]
> In addition, the new name makes clear that there have been many changes
> in Fedora's certificate handling. Also I think the name "certs" is more
> precise and understandable; there are more people who know what "certs"
> are that those who know the term "pki".
[snip]
> Since nearly all certificate related packages have to be changed, I
> think it makes no difference whether the name is changed to /etc/pki or
> /etc/certs. Also with a new name it is easier to see what packages have
> been changed already to follow the guidelines, and what still need to be
> changed.

There is a not-completely-trivial migration cost for every change. If
one file moves (eg for dovecot, it would only be the public part of
cert moving, private is in right place already), the breakage risk is
lower. I would love to get this done for once and ever, i already have
quite some /usr/share -> /etc/pki migration cruft accumulated.

Moving certificates in scriptlets is non-nice, breaking your tls setup
is not much better. I recognize that things would be better if
locations are standardized... but it's getting more boring every time
the preferred location changes. So in the end, i am left unconvinced,
it's the poor maintainers (including me) who need to handle all the
resulting mess.

Also, if we are trying to get some consensus, consulting ssl
maintainer would be a good thing to do (i believe he's currently
unreachable though, holidays or somesuch, but not sure).

The bottom line is, that yes, if it is widely believed that /etc/certs
is a better place than /etc/pki (which i'm not convinced about
either), sure, why not. Just don't change mind right after a first FC
release with the new certificate-location-of-the-year gets out.

Yours, Peter.

-- 
Peter Rockai | me()mornfall!net | prockai()redhat!com
 http://blog.mornfall.net | http://web.mornfall.net

"In My Egotistical Opinion, most people's C programs should be
 indented six feet downward and covered with dirt."
     -- Blair P. Houghton on the subject of C program indentation

More information about the fedora-devel-list mailing list