~lioploum/offpunk-devel

3 3

Moving cached certificates from .local/share to .cache

Details
Message ID
<171909069769.8.11000184461859864172.361844737@ploum.eu>
DKIM signature
pass
Download raw message
Hi,

I would like some feedback.

The work done by Bert made me thinks about where we are storing the 
certificates. Currently, they are in .local/share/offpunk, with your 
lists.

I’m currently thinking that server side certificates should probably be 
moved into .cache. Those are not the kind of data you would like to 
save/backup. It doesn’t make sense to keep old certificates while the 
cache is emptied.

On the other hand, client certificates are important to backup and 
should be in .local/share in a folder clearly marked as such.

What do you think?

-- 
Ploum - Lionel Dricot
Blog: https://www.ploum.net
Livres: https://ploum.net/livres.html
Details
Message ID
<20240622230237.GA29272@patsas>
In-Reply-To
<171909069769.8.11000184461859864172.361844737@ploum.eu> (view parent)
DKIM signature
pass
Download raw message
Hi,

I would argue that both client and server certificates are important to 
back up. The server certificates are used for Gemini's TOFU scheme if I 
understand correctly. In that case they are necessary for avoiding 
person-in-the-middle attacks and so I don't think they should be cleared 
together with the cache. SSH works similarly, by placing the known hosts 
file inside its configuration directory.

Sotiris
Details
Message ID
<bklp4qt6mbmlim25pltnfisiy6eedvxzzhmxh65arqef564elo@pbyalq6cc5hx>
In-Reply-To
<20240622230237.GA29272@patsas> (view parent)
DKIM signature
pass
Download raw message
Sotiris Papatheodorou wrote:

> I would argue that both client and server certificates are important to back up.

I agree with this.

Perhaps offpunk could use the $XDG_STATE_HOME (default: ~/.local/state) directory instead of $XDG_CACHE_HOME. I wouldn't object to XDG_DATA_HOME (~/.local/share) but the data is not really “shared” with anyone — they're for offpunk only — so I prefer the state directory.

Cheers,

-- 
Kʟᴀᴜꜱ Aʟᴇxᴀɴᴅᴇʀ Sᴇɪꜱᴛʀᴜᴘ
https://kas.bio.link/ 🇩🇰
Details
Message ID
<171915833388.7.15838577427719822328.362283449@ploum.eu>
In-Reply-To
<bklp4qt6mbmlim25pltnfisiy6eedvxzzhmxh65arqef564elo@pbyalq6cc5hx> (view parent)
DKIM signature
pass
Download raw message
On 24 jun 23 11:49, Klaus Alexander Seistrup wrote:
>Sotiris Papatheodorou wrote:
>
>> I would argue that both client and server certificates are important to back up.
>
>I agree with this.
>
>Perhaps offpunk could use the $XDG_STATE_HOME (default: ~/.local/state) directory instead of $XDG_CACHE_HOME. I wouldn't object to XDG_DATA_HOME (~/.local/share) but the data is not really “shared” with anyone — they're for offpunk only — so I prefer the state directory.


I like a lot the idea of XDG_STATE_HOME.

According to the spec:

"The $XDG_STATE_HOME contains state data that should persist between 
(application) restarts, but that is not important or portable enough to 
the user that it should be stored in $XDG_DATA_HOME."

https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html


I feel that it is perfectly appropriate: nothing really bad happens if 
you lose server certificates. 

TBH, I’ve never care much about certificate errors as I don’t see the 
point in trying to spook one for a gemini capsule and new certificates 
happen all the time for various reason (and I must not be alone doing it 
that way). 

Saving then in STATE_HOME might be a very good compromise: you don’t 
clear them with the cache but you don’t need a strong backup policy as 
you would to for SHARE_HOME.


(which raise the question that offpunk cache is becoming so incredibly 
important to me that I’m starting to backup it…  But this is subject for 
another thread)
Reply to thread Export thread (mbox)