[Freeipa-devel] [PATCHES] 0210-0213 Drop selfsign server functionality
Martin Kosek
mkosek at redhat.com
Mon Apr 15 13:39:01 UTC 2013
On 04/04/2013 09:14 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> Hello,
>>
>> These patches convert selfsign masters to CA-less on upgrade, and remove
>> all selfsign-related code
>>
>> The files the CA uses are left around for admins to pick up cert
>> management manually. Instructions for that are provided in the design
>> document. They pretty much just document what the selfsign CA did.
>> Removing the automation may seem like a step backwards, but when the
>> steps are just a wiki page, the admins can adjust for their needs (e.g.
>> issue wildcart certs). For an automated solution we have Dogtag.
>>
>> Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
>> Ticket: https://fedorahosted.org/freeipa/ticket/3494
>>
>> (Note that removing the --selfsign *option*, not functionality, has a
>> separate ticket and design doc.)
>
> As I've been looking at this I'm having some reservations about this. It is
> going to remove functionality from a running server. And once gone I don't
> think one could easily get it back.
>
> I guess I'd be fine deprecating it and no longer providing any support, and
> strongly recommending that people move away from it, but dropping it
> mid-release seems rather strict.
>
> rob
I am thinking that keeping the nonfunctional selfsign code would rather create
mess, I would personally tend to removing that in 3.2. As this patch also
converts selfsign installations to CA-less, current selfsign installation would
still work - except creating replicas where people would need to generate certs
for the replica.
I also did not see much resistance or concerns when Petr sent a Heads-up mail
to freeipa-users (but of course, not every our user reads that).
https://www.redhat.com/archives/freeipa-users/2013-March/msg00235.html
Martin
More information about the Freeipa-devel
mailing list