[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension



On 1/8/2015 11:59 AM, Fraser Tweedale wrote:
Also, since the script changes the CS.cfg, we should advise the admin to
shutdown the server first to avoid corrupting the file. See:
https://fedorahosted.org/pki/ticket/1163

I split the patch into the original part and the upgrade script,
pushed the original part (master: 9e8c518), created ticket #1236 to
cover the upgrade aspect and closed #1189.

So more work is needed before the CS.cfg update can happen in a safe
way (#1163 in particular)?  I see that those tickets are for 10.3.
This change is non-urgent (after all, noone has complained or
possibly even noticed that the configuration was non-conformant), so
I think it is fine to wait until enough of #1135 and/or #1163 is in
place so that we can do the upgrade safely.

Yeah, it would require some changes to the code to guarantee a safe CS.cfg modification and we haven't yet decided how to do that properly.

BTW, does this change affect CA only? If that's the case the script probably should check the subsystem name.

We can also set a default value for this property somewhere else, then remove this property from CS.cfg in new installations. The upgrade script later can optionally remove the property from existing CS.cfg if the admin wants. If the CS.cfg still has that property left, it will override the default value. That way we will convert most systems to use the new recommended behavior, but existing behavior can be preserved if necessary, and we will also incrementally simplify the CS.cfg.

--
Endi S. Dewata


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]