Bug#740603: /etc/shibboleth not created when not using libapache2-mod-shib2

Russ Allbery rra at debian.org
Mon Mar 3 21:56:00 UTC 2014


"Cantor, Scott" <cantor.2 at osu.edu> writes:
> On 3/3/14, 4:27 PM, "Russ Allbery" <rra at debian.org> wrote:

>> Could you explain a bit more about what the use case is?  I think I
>> understand, but I'm not sure.  You're using libshibsp5, and you want
>> the standard configuration files, but you aren't using Apache so you
>> don't want libapache2-mod-shib2?  (Or, I guess, to be more precise, you
>> don't want the apache2-api-20120211 dependency, since the extra files
>> in libapache2-mod-shib2 are harmless.)

>> Do you want shibd?

> I would prefer that shibd be included, because it is possible in theory
> if not necessarily in current fact to configure the use of things like
> Moonshot and SAML-EC to use shibd in some cases.

> In other respects, yes, the code in Moonshot is linked to the SP
> libraries but isn't necessarily using the Apache module.

Am I correct in my understanding of the original bug report that the
shibsp library actually requires /etc/shibboleth to work?  In other words,
from a package perspective, should libshibsp depend on the configuration
files (however provided)?  I was assuming that it was meaningful to use
the library without it, but I never really investigated that assumption.

I think there are a couple of obvious package layouts that I could use:

1. Package shibd plus /etc/shibboleth in a new package (probably just
   called shibd) and have libshibsp5 and libapache2-mod-shib2 depend on
   it.

2. Create two new packages, shibd and shibboleth-common.  Put the shibd
   binary and init script in the first and the configuration files in the
   second.  Make libshibsp5 and libapache2-mod-shib2 depend on
   shibboleth-common and recommend (?) shibd.  Make shibd depend on
   shibboleth-common.

It sounds like the latter more accurately reflects the real underlying
dependencies and requirements.  I am a little worried about downgrading
the shibd dependency in libapache2-mod-shib2 to recommends; maybe it
should stay as depends for now even though it's possible to run shibd on a
different host?

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the Pkg-shibboleth-devel mailing list