Tangle - cookie keys file

Gary E. Miller gem at rellim.com
Thu Mar 7 20:58:54 UTC 2019 

Yo Hal!

On Thu, 07 Mar 2019 12:44:40 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> Gary said:
> > My idiosyncratic read of the FHS would, by default, put the master
> > keys in /usr/local/var/lib:   
> 
> Is that a typo?

No.

> There is no /usr/local/var/ or /usr/var/ on Fedora
> or Debian.

Now would there be, unless/until a user installed package creates it.

Remeber, user installed codes should NEVER use /usr or /var.

I do realize this is a rule frequently violated, but givin how often
users install both the distro ntpd/gpsd and the source ntpd/gpsd it
is good to keep their files in different places.

Otherwise you get the constant problem reports we see.

> > We can pick a default, but no default would be fine for most linux.
> > It needs to be configurable for the packager.   
> 
> The server side needs 3 files:
>   cookie keys

I think you mean the master key 'K', plus associated key identifier 'I'.

>   certificate
>   private key for certificate

Which already have standard locations.

> The certificate and private key can live in /etc/ntp/ -- they don't
> get updated by ntpd.

I sure hope not.  That is not standard.  sendmail did that for a while,
it was a huge mess.  Let's Encrypt will not put your files there either.

That ship sailed a LONG time ago.

> We could give up on defaults for all of them.  Then the documentation
> wouldn't have to discuss defaults.

If no defaults, then everything must be specified.  How is that easier?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190307/2f7d7854/attachment.bin>

More information about the devel mailing list