While this wont happen with current ca-certificates, I think we should revert
the changes which caused this bug:
in Debian's 20110421 QA upload, a c_rehash call was added to postinst for
upgrades from versions <= 20090814+nmu3, this was an attempt to rebuild the
symlinks in /etc/ssl/certs, but because update-ca-certificates wasn't removing
/etc/ssl/cert/ca-certificates.crt, it did generate one symlink to this file for
the first certificate. With the Debian change from openssl 1.0.0e-1 to support
multiple certificates in one file, this probably took even worse proportions.
However this probably depended on the order in which c_rehash processed files;
it just does readdir() and generates links for the first certificate of each
.pem and .crt file it finds.
Now in 20110502+nmu1ubuntu1/20110502+nmu1ubuntu2, a call was added to
properly regenerate the links, but kept the plain c_rehash call *after*
it in the postinst, so that it might trigger when upgrading from <=
20090814+nmu3 (so upgrades from natty or lucid will cause this).
Because of the new call I've added in20110502+nmu1ubuntu4 to
regenerates certs when upgrading from <= 20110502+nmu1ubuntu4, this
should be fixed for oneiric users.
Now, what needs to be fixed:
* plain c_rehash is wrong in any case; also an issue in Debian (and the rm
needs to be copied there too)
* postinst has tons of update-ca-certificates calls, mine is the strongest one
as it affects all updates (from natty); all of these should be dropped after
oneiric
Now this could be fixed in oneiric + 1, but it would be clearer to
remove these now to prevent any regression when removing the postinst
snippets (e.g. leaving the plain c_rehash call alone after oneiric would
be wrong).
** Changed in: ca-certificates (Ubuntu Oneiric)
Status: Fix Released => Triaged
** Changed in: ca-certificates (Ubuntu Oneiric)
Milestone: ubuntu-11.10-beta-2 => None
** Changed in: ca-certificates (Ubuntu Oneiric)
Assignee: Steve Langasek (vorlon) => Loïc Minier (lool)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/854927
Title:
c_rehash creating bogus links to ca-certificates.crt
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
