Bug#740603: /etc/shibboleth not created when not using libapache2-mod-shib2
Russ Allbery
rra at debian.org
Mon Mar 3 21:56:00 UTC 2014
"Cantor, Scott" <cantor.2 at osu.edu> writes:
> On 3/3/14, 4:27 PM, "Russ Allbery" <rra at debian.org> wrote:
>> Could you explain a bit more about what the use case is? I think I
>> understand, but I'm not sure. You're using libshibsp5, and you want
>> the standard configuration files, but you aren't using Apache so you
>> don't want libapache2-mod-shib2? (Or, I guess, to be more precise, you
>> don't want the apache2-api-20120211 dependency, since the extra files
>> in libapache2-mod-shib2 are harmless.)
>> Do you want shibd?
> I would prefer that shibd be included, because it is possible in theory
> if not necessarily in current fact to configure the use of things like
> Moonshot and SAML-EC to use shibd in some cases.
> In other respects, yes, the code in Moonshot is linked to the SP
> libraries but isn't necessarily using the Apache module.
Am I correct in my understanding of the original bug report that the
shibsp library actually requires /etc/shibboleth to work? In other words,
from a package perspective, should libshibsp depend on the configuration
files (however provided)? I was assuming that it was meaningful to use
the library without it, but I never really investigated that assumption.
I think there are a couple of obvious package layouts that I could use:
1. Package shibd plus /etc/shibboleth in a new package (probably just
called shibd) and have libshibsp5 and libapache2-mod-shib2 depend on
it.
2. Create two new packages, shibd and shibboleth-common. Put the shibd
binary and init script in the first and the configuration files in the
second. Make libshibsp5 and libapache2-mod-shib2 depend on
shibboleth-common and recommend (?) shibd. Make shibd depend on
shibboleth-common.
It sounds like the latter more accurately reflects the real underlying
dependencies and requirements. I am a little worried about downgrading
the shibd dependency in libapache2-mod-shib2 to recommends; maybe it
should stay as depends for now even though it's possible to run shibd on a
different host?
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-shibboleth-devel
mailing list