Bug#740603: /etc/shibboleth not created when not using libapache2-mod-shib2

Russ Allbery rra at debian.org
Sun Mar 16 21:48:49 UTC 2014 

"Cantor, Scott" <cantor.2 at osu.edu> writes:
> On 3/3/14, 4:56 PM, "Russ Allbery" <rra at debian.org> wrote:

>> I am a little worried about downgrading the shibd dependency in
>> libapache2-mod-shib2 to recommends; maybe it should stay as depends for
>> now even though it's possible to run shibd on a different host?

> I think you can leave that, particularly if all that's installing is
> shibd + init script. It's possible, but ultimately impractical to run
> shibd remotely at any scale, leads to security mistakes, and it's an
> explicit requirement of the Apache half that a shibd be used, which
> leads me to believe requiring it is the best choice.

I finally got to this restructuring, and then I realized it was a bit more
confusing than I'd thought and I wasn't sure where everything should go.

Here's a first cut.  Could I get a sanity check on whether this makes
sense?  (Multiarch paths simplified for the sake of easier discussion.)

libapache2-mod-shib2 (existing package)
    /usr/lib/apache2
    /usr/lib/shibboleth/*.so
    /usr/lib/shibboleth/shibauthorizer
    /usr/lib/shibboleth/shibresponder

shibboleth-sp2-common (new package)
    /etc/shibboleth

shibboleth-sp2-utils (new package)
    /usr/bin/*
    /usr/sbin/* (including shibd and init script)

libshibsp6 would depend on shibboleth-sp2-common.  libapache2-mod-shib2
would depend on shibboleth-sp2-utils.  Every other package would retain
its current contents and dependency structure.  (I know the authorizer and
responder need to be split off somehow eventually into a FastCGI package,
but I'll deal with that later.)

Some things that I'm not sure about:

* Should the *.so files stay in the Apache package, or move to something
  else?  Does it make sense to put them in the -utils package along with
  shibd?  Or do they need to go into some other package of their own?
  (They can't go into the library package directly because they aren't
  versioned; presumably the ABI doesn't change between library releases?
  Or if it does, I should move them to a directory versioned by ABI
  version and then include them with the library package.)

* Does it make sense to folks to have all the utilities including shibd
  collected together in shibboleth-sp2-utils?  This would include
  shib-metagen, resolvertest, mdquery, and shib-keygen along with shibd.
  I kind of don't like having daemons in a -utils package, but I think
  splitting things further just creates a ton of packages for no
  particular purpose.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shibboleth-devel mailing list