[Pkg-nagios-devel] Bug#545484: Bug#545484: Bug#545484: nagios-plugins-basic: enable SSL certificate validity check by default

Fri Dec 18 08:14:45 UTC 2009

Hi Thijs,

On Wednesday 18 November 2009 18:16:21 Thijs Kinkhorst wrote:
> > as I can understand, that this would be a usefull addition, I think we
> > have a couple of disadvantages.
> >
> > * users which uses a certificate and don't care if its valid/expired
> > (just want to encrypt the payload) maybe get nerved
>
> In both situations, current and proposed, a group of people will want to
> opt to change it. My proposal is to change the default, not to force the
> checks upon them. In my view default on is better than default off in this

which default? If you don't want to change the check commands, what else? 
Looking into your patch indicates you want to change the check commands.

> case, because I presume that people using SSL in general *are* interested
> in having valid certificates (why are they using SSL then), and people
> explicitly wanting to turn it off are a relatively small group.

Maybe thats you POV, but I know a lot of people who just want to have the 
transport layer encrypted and they don't care (much) about the certificate 
itself when using SSL.

> > * what ever we choose as days until the cert expires ... users may edit
> > this anyways, as they want to set different values
>
> That's true, but I think that people would prefer to be warned at a moment
> they'd rather finetune to a somewhat different moment, over not being
> warned at all.

Forcing the people to edit the default check (files) leads them into the 
problem to migrate all changes in the config files provided by the package. 
This is really annoying, even more if it is caused by a change by package 
maintainers, which is forcing them into this step.

> Enabling it by default generates less work for most administrators, and
> proactively prevents service outage for those administrators that did not
> know about that check previously or forgot to set it.

As argued above, this may be the case in your environment and I understand 
your problem, but actually I think the disadvantages for the most of the users 
is much bigger.
If we can find a solution, which doesn't force (potential most of) the users 
to change the default checks, it will be fine. Actual I don't have such a 
solution in mind unfortunately.

I think I will tag this bug "wontfix", so it is visible to others ... if 
anybody comes up with a good solution and/or there will be a reply flood from 
others which also want to have validity checks enabled by default, we have to 
look into it again.

With kind regards, Jan.
-- 
Never write mail to <waja at spamfalle.info>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
------END GEEK CODE BLOCK------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20091218/2297d7af/attachment.pgp>