Description of problem: The %post scriptlet creates the SSL certificate at /usr/share/ssl. This causes problems because: * the /usr filesystem (inclusive /usr/share/ssl) can be shared between several hosts; when there are multiple imap-servers, every one would use the same certificate. This will not work because CN must match the DNS name. This causes problems also, when /usr is mounted read-only. Then the %post-scriptlet will fail because the certificate can not be created. * the sharing happens in >90% of all cases over an unencrypted network-filesystem (NFS). So, an attacker could easily get the SSL key. A better place for the certificates would be somewhere under /etc. Version-Release number of selected component (if applicable): cyrus-imapd-2.2.10-1.fc3
The choice of /usr/share/ssl is dictated by the openssl package which puts its certificates in %{_datadir}/ssl, a standard location that is in compliance with FHS, or at least that was the thinking, but I think its easily open to interpretation and you present viable and reasonable arguments to move it elsewhere. I could be persuaded that /var/lib/ssl/certs, /usr/local/ssl/certs, or /etc/ssl/certs all would represent locations consistent with FHS and would remedy the issues you raised. However, the configuration of the cyrus rpm is meant to be consistent with all other ssl usage in the distribution, that is the advantage of using a distribution from a single vendor. Also our cyrus rpm is derived almost verbatim from Simon Matter's rpm which is somewhat of a standard, and the certs location is consistent with his rpm as well. Although you present good arguments I'm not inclinded to change the location in cyrus unless Red Hat decides to move /usr/share/ssl/certs for everything in the system. Such a move may make sense and I've cc'ed the owner of the openssl rpm (Nalin) on this bugzilla to allow him to comment. At the moment I tend to view this as an openssl issue and not a cyrus-imapd issue (because of system consistency). You do have the ability to move the certificate location via the imap.conf file for your installation.
I agree, all my rpms use %{_datadir}/ssl which is the defacto standard on RedHat/Fedora distributions.
Really? A counter-example is httpd which places certs + keys into /etc/httpd/ssl.*. I know only one other package which uses /usr/share/ssl for its keys: openldap-servers. The scriptlet there looks very similar to this of cyrus-imapd so I think one package copied the error of the other one. /usr/share/ssl can be used for CA certificates (ca-bundle) which will not conflict across machines. But it is not appropriately for host-specific and secret configuration files.
Because there was no rational behind this WONTFIX, I guess this happened accidentally. Therefore, I am reverting to the previous state...
I thought the rational was spelled out in comments #1 and #2
But comment #3 shows that the assumptions in these comments are wrong.
fixed in fedora extras
We finally reached a consensus on a common directory to hold certs (/etc/pki). cyrus-imapd in extras was modified to place its pem file in the subdirectory /etc/pki/cyrus-imapd. We will eventually over time migrate other packages to use /etc/pki as well.