Comment 11 for bug 854927

While this wont happen with current ca-certificates, I think we should revert the changes which caused this bug:
in Debian's 20110421 QA upload, a c_rehash call was added to postinst for upgrades from versions <= 20090814+nmu3, this was an attempt to rebuild the symlinks in /etc/ssl/certs, but because update-ca-certificates wasn't removing /etc/ssl/cert/ca-certificates.crt, it did generate one symlink to this file for the first certificate. With the Debian change from openssl 1.0.0e-1 to support multiple certificates in one file, this probably took even worse proportions. However this probably depended on the order in which c_rehash processed files; it just does readdir() and generates links for the first certificate of each .pem and .crt file it finds.

Now in 20110502+nmu1ubuntu1/20110502+nmu1ubuntu2, a call was added to properly regenerate the links, but kept the plain c_rehash call *after* it in the postinst, so that it might trigger when upgrading from <= 20090814+nmu3 (so upgrades from natty or lucid will cause this).

Because of the new call I've added in20110502+nmu1ubuntu4 to regenerates certs when upgrading from <= 20110502+nmu1ubuntu4, this should be fixed for oneiric users.

Now, what needs to be fixed:
* plain c_rehash is wrong in any case; also an issue in Debian (and the rm needs to be copied there too)
* postinst has tons of update-ca-certificates calls, mine is the strongest one as it affects all updates (from natty); all of these should be dropped after oneiric

Now this could be fixed in oneiric + 1, but it would be clearer to remove these now to prevent any regression when removing the postinst snippets (e.g. leaving the plain c_rehash call alone after oneiric would be wrong).