[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension




On 01/06/2015 09:12 PM, Fraser Tweedale wrote:
On Wed, Jan 07, 2015 at 09:19:50AM +0700, Endi Sukma Dewata wrote:
On 12/18/2014 7:59 AM, Fraser Tweedale wrote:
On Wed, Dec 17, 2014 at 10:13:04AM -0800, Christina Fu wrote:
Hi Fraser,
Regarding CRL, I found the following:
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/ilOoDiCU4JM
So I think we can just forget it then, unless you want to install old FF to
try.
You have an ACK on this patch now.

About upgrade,  I can see that you are on the right path there with the
upgrade script, and it looks to do the thing, but since I don't have much
experience with Python, could you please ask Endi to take a closer look?

Thanks Christina.

Endi, any comments on upgrade script?

Currently if you opt out of an upgrade step it aborts the whole
process.  I think there could be scope for marking upgrade steps as
optional so that the process doesn't bail out, but I haven't
addressed that in the patch - wanted to solicit feedback first.

Cheers,

Fraser
I have some comments:

1. The upgrade script will run automatically when you install the RPM.
There's no opt-out mechanism with automatic upgrade, so the behavior of
existing instances will change. If this is not what we want, we should not
add an upgrade script.

I defer to Christina in this.  If automatically turning on the
extension is not what customers want, we still want a way for them
to be able to do it easily.  Is there currently a way to leverage
the upgrade framework to do this?
I honestly don't know why that was even an option in the first place. If you have tested successfully all the tests that I suggested, minus that one firefox one, then I think it's fine to change the default. Worst case, they can turn it off manually.

Perhaps there is scope to declare upgrade modules as automatic
(executed when invoked via RPM) and manual (executed when invoked
manually).  Or something like that.

2. The path to CS.cfg can be constructed like this:
     cfg_path = os.path.join(subsystem.conf_dir, 'CS.cfg')

3. The existing CS.cfg should be backed up before doing anything with it
using this command:
     self.backup(cfg_path)

4. Ideally the CS.cfg should be read with a proper CS.cfg parser (e.g. in
case it has multi-line properties). But since the parser only exists in Java
and we're only modifying a simple property this is fine.

5. If this is going to be added into 10.2.2 you should create an empty
common/upgrade/10.2.2 folder with a .gitignore file (just copy from another
folder).

If this is going to be added into 10.2.1 the script should be moved into
server/upgrade/10.2.1 and be renamed to 02-EnableCRLAKIExtension.

This patch is conditionally ACKed pending changes to address item #2, #3,
and #5.

Will address these.  Thanks!

--
Endi S. Dewata


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]