[debian-lan-devel] dovecot certificates (was: Installation report)
Jonas Smedegaard
dr at jones.dk
Tue May 7 13:13:47 UTC 2013
Quoting Andreas B. Mundt (2013-05-07 12:59:10)
> On Tue, May 07, 2013 at 10:20:22AM +0200, Jonas Smedegaard wrote:
> > Quoting Andreas B. Mundt (2013-05-06 20:09:01)
> > > We might to improve the certificate stuff some time, to make them
> > > available on the clients also in icedove and iceweasel and perhaps
> > > follow Jonas' recommendation. Up to now I just replaced the
> > > dovecot certificate that's created during installation with a
> > > certificate including the 'mail.intern' alias.
> >
> > Sounds dangerous: The files handled by a package may be
> > automatically changed by same package as well!
> >
> > I strongly urge you change strategy to not subvert package-owned
> > files!
>
> I guess this is no problem here, as the certs are not part of the
> package:
The danger is unrelated to whether the files are shipped with the
package or created/moved into place by packaging scripts.
There are two issues here:
a) location of self-signed versus hierarchically trusted certs
b) replacing package-handled cert versus editing configfile pointer
Bug#608719 and resulting postinst (non-debconf emitted!) warning relates
to issue a) whereas my concern here is issue b).
Sure, if the certs introduced by debian-lan is self-signed then both
issues are of concern, but it helps if we separate them in this
discussion.
> So for the time being, we leave it the way it is now?
Do whatever you feel like - I am not veto'ing anything, but my concern
still stand.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
More information about the debian-lan-devel
mailing list