[Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
Christina Fu
cfu at redhat.com
Wed Jan 7 17:19:51 UTC 2015
On 01/06/2015 09:12 PM, Fraser Tweedale wrote:
> On Wed, Jan 07, 2015 at 09:19:50AM +0700, Endi Sukma Dewata wrote:
>> On 12/18/2014 7:59 AM, Fraser Tweedale wrote:
>>> On Wed, Dec 17, 2014 at 10:13:04AM -0800, Christina Fu wrote:
>>>> Hi Fraser,
>>>> Regarding CRL, I found the following:
>>>> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/ilOoDiCU4JM
>>>> So I think we can just forget it then, unless you want to install old FF to
>>>> try.
>>>> You have an ACK on this patch now.
>>>>
>>>> About upgrade, I can see that you are on the right path there with the
>>>> upgrade script, and it looks to do the thing, but since I don't have much
>>>> experience with Python, could you please ask Endi to take a closer look?
>>>>
>>> Thanks Christina.
>>>
>>> Endi, any comments on upgrade script?
>>>
>>> Currently if you opt out of an upgrade step it aborts the whole
>>> process. I think there could be scope for marking upgrade steps as
>>> optional so that the process doesn't bail out, but I haven't
>>> addressed that in the patch - wanted to solicit feedback first.
>>>
>>> Cheers,
>>>
>>> Fraser
>> I have some comments:
>>
>> 1. The upgrade script will run automatically when you install the RPM.
>> There's no opt-out mechanism with automatic upgrade, so the behavior of
>> existing instances will change. If this is not what we want, we should not
>> add an upgrade script.
>>
> I defer to Christina in this. If automatically turning on the
> extension is not what customers want, we still want a way for them
> to be able to do it easily. Is there currently a way to leverage
> the upgrade framework to do this?
I honestly don't know why that was even an option in the first place.
If you have tested successfully all the tests that I suggested, minus
that one firefox one, then I think it's fine to change the default.
Worst case, they can turn it off manually.
>
> Perhaps there is scope to declare upgrade modules as automatic
> (executed when invoked via RPM) and manual (executed when invoked
> manually). Or something like that.
>
>> 2. The path to CS.cfg can be constructed like this:
>> cfg_path = os.path.join(subsystem.conf_dir, 'CS.cfg')
>>
>> 3. The existing CS.cfg should be backed up before doing anything with it
>> using this command:
>> self.backup(cfg_path)
>>
>> 4. Ideally the CS.cfg should be read with a proper CS.cfg parser (e.g. in
>> case it has multi-line properties). But since the parser only exists in Java
>> and we're only modifying a simple property this is fine.
>>
>> 5. If this is going to be added into 10.2.2 you should create an empty
>> common/upgrade/10.2.2 folder with a .gitignore file (just copy from another
>> folder).
>>
>> If this is going to be added into 10.2.1 the script should be moved into
>> server/upgrade/10.2.1 and be renamed to 02-EnableCRLAKIExtension.
>>
>> This patch is conditionally ACKed pending changes to address item #2, #3,
>> and #5.
>>
> Will address these. Thanks!
>
>> --
>> Endi S. Dewata
More information about the Pki-devel
mailing list