"Cantor, Scott" <canto...@osu.edu> writes:
> On 3/3/14, 4:56 PM, "Russ Allbery" <r...@debian.org> wrote:
>> I am a little worried about downgrading the shibd dependency in
>> libapache2-mod-shib2 to recommends; maybe it should stay as depends for
>> now even though it's possible to run shibd on a different host?
> I think you can leave that, particularly if all that's installing is
> shibd + init script. It's possible, but ultimately impractical to run
> shibd remotely at any scale, leads to security mistakes, and it's an
> explicit requirement of the Apache half that a shibd be used, which
> leads me to believe requiring it is the best choice.
I finally got to this restructuring, and then I realized it was a bit more
confusing than I'd thought and I wasn't sure where everything should go.
Here's a first cut. Could I get a sanity check on whether this makes
sense? (Multiarch paths simplified for the sake of easier discussion.)
libapache2-mod-shib2 (existing package)
/usr/lib/apache2
/usr/lib/shibboleth/*.so
/usr/lib/shibboleth/shibauthorizer
/usr/lib/shibboleth/shibresponder
shibboleth-sp2-common (new package)
/etc/shibboleth
shibboleth-sp2-utils (new package)
/usr/bin/*
/usr/sbin/* (including shibd and init script)
libshibsp6 would depend on shibboleth-sp2-common. libapache2-mod-shib2
would depend on shibboleth-sp2-utils. Every other package would retain
its current contents and dependency structure. (I know the authorizer and
responder need to be split off somehow eventually into a FastCGI package,
but I'll deal with that later.)
Some things that I'm not sure about:
* Should the *.so files stay in the Apache package, or move to something
else? Does it make sense to put them in the -utils package along with
shibd? Or do they need to go into some other package of their own?
(They can't go into the library package directly because they aren't
versioned; presumably the ABI doesn't change between library releases?
Or if it does, I should move them to a directory versioned by ABI
version and then include them with the library package.)
* Does it make sense to folks to have all the utilities including shibd
collected together in shibboleth-sp2-utils? This would include
shib-metagen, resolvertest, mdquery, and shib-keygen along with shibd.
I kind of don't like having daemons in a -utils package, but I think
splitting things further just creates a ton of packages for no
particular purpose.
--
Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
