[Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
Fraser Tweedale
ftweedal at redhat.com
Thu Jan 8 04:59:44 UTC 2015
On Wed, Jan 07, 2015 at 05:48:26PM +0700, Endi Sukma Dewata wrote:
> On 1/7/2015 12:12 PM, Fraser Tweedale wrote:
> >>1. The upgrade script will run automatically when you install the RPM.
> >>There's no opt-out mechanism with automatic upgrade, so the behavior of
> >>existing instances will change. If this is not what we want, we should not
> >>add an upgrade script.
> >>
> >I defer to Christina in this. If automatically turning on the
> >extension is not what customers want, we still want a way for them
> >to be able to do it easily. Is there currently a way to leverage
> >the upgrade framework to do this?
> >
> >Perhaps there is scope to declare upgrade modules as automatic
> >(executed when invoked via RPM) and manual (executed when invoked
> >manually). Or something like that.
>
> Yes, see this ticket:
> https://fedorahosted.org/pki/ticket/1135
>
> So the plan is to split structural and behavioral upgrade scripts.
> Structural upgrade is mandatory and executed automatically, while behavioral
> upgrade is optional. Your upgrade script seems to be a behavioral one. We
> probably can use the same upgrade framework, but the behavioral scripts will
> be put under a separate folder.
>
> Also, since the script changes the CS.cfg, we should advise the admin to
> shutdown the server first to avoid corrupting the file. See:
> https://fedorahosted.org/pki/ticket/1163
>
I split the patch into the original part and the upgrade script,
pushed the original part (master: 9e8c518), created ticket #1236 to
cover the upgrade aspect and closed #1189.
So more work is needed before the CS.cfg update can happen in a safe
way (#1163 in particular)? I see that those tickets are for 10.3.
This change is non-urgent (after all, noone has complained or
possibly even noticed that the configuration was non-conformant), so
I think it is fine to wait until enough of #1135 and/or #1163 is in
place so that we can do the upgrade safely.
> --
> Endi S. Dewata
More information about the Pki-devel
mailing list