On 05/26/2015 08:44 AM, Christoph Anton Mitterer wrote:
If e.g. the Mozilla bundle would be split out to ca-mozilla or something
like that, users that have no interest in these certs could choose not
to install that package and save some space.

Probably something like 99.N% of use cases by rdep packages, wget, mutt, php-*, python-*, msmpt, libcurl, etc. have users that expect to be able to check that certificates chain to a root CA properly. Splitting out the mozilla bundle would only force all rdeps to depend on ca-mozilla, which would depend on the CA-stripped, infra-only ca-certificates package, no?

There is nothing stopping a user from disabling any or all the CA certificates in the existing package. There is no disk space savings if everything depends on ca-mozilla, which is what most users expect.

Also it wouldn't require users to run updates just because the Mozilla
CA bundle changes,... even if they use nothing of it but just want the
infrastructure parts to be used with e.g. the IGTF certs or other CA
packages in Debian.

The main group of CAs that the world uses (provided in browsers by Mozilla, Microsoft, Opera, Google Chrome, and others) is really pretty close from provider to provider. Mozilla happens to have a bundle that is open source and relatively easy to parse. Users will get updates of the theoretical ca-mozilla package in the same numbers as ca-certificates now, if everything depends on ca-mozilla, would they not?

Additionally, the small number of IGTF users, as in your example, don't need to install an update to ca-certificates, if igtf-policy-bundle is updated and they only wish to install that update. So yes, the independence of the example IGTF package updates already exists.

--
Kind regards,
Michael


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to