Stephen Frost [2009-04-14 9:18 -0400]:
> * Martin Pitt (mpitt@debian.org) wrote:
> > We couldn't set this up by default, of course, since each installed
> > machine will have a different snakeoil cert (it gets generated during
> > installation).=20
>=20
> It's worse than that.. Obviously, you can have the client installed on
> systems which aren't where the server is (we do this alot..) and there's
> no way for a packaging system to pull the cert from the server.
Of course I assumed that the server and client are on different
systems. If they are on the same, then we just use the Unix socket and
don't need all this SSL fuss at all.
> If we're going to do something along those lines, we should start by
> supporting a CA cert directory or similar. We could then recommend
> ca-certificates and default config the client to use those. Of course,
> anyone who actually cares about security probably wouldn't install
> ca-certificates, but it's what the browsers use.
Hm, that sounds like opening a can of worms, TBH. But yes, once the
final defaults in psql are agreed upon, we can discuss the packaging.
Thanks,
Martin
--=20
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
