On Tue, 11 Mar 2008, Mike Bonnet wrote: > On Tue, 2008-03-11 at 21:52 +0100, Till Maas wrote: > > On Tue March 11 2008, Dennis Gilmore wrote: > > > On Tuesday 11 March 2008, Till Maas wrote: > > > > Hiyas, > > > > > > > > now that everyone needs to change his password, can we now also deploy > > > > the new certifcate for koji? This will make it possible to verify whether > > > > or not one can trust the certificate for koji and the ticket[1] is now 7 > > > > months old, i.e. about a full Fedora release cycle. Therefore I guess > > > > there won't be a better time than now. > > > > > > > > Regards, > > > > Till > > > > > > > > [1] https://fedorahosted.org/fedora-infrastructure/ticket/88 > > > > > > No, Because it will break user certs. To make it work would require that > > > users all get entirely new server cert files. We need to redo our entire > > > CA system. We also need to consider the ramifications for Secondary > > > arches, deploying a new CA would require each and every Secondary arch to > > > purchase a cert from the same CA. or somebody to purchase a cert that > > > covered *.koji.fedoraproject.org from the same CA. > > > > > > we are looking at deploying the hub on a separate box from the frontend > > > which would allow us to do what you are wanting but would not look after > > > secondary arches. > > > > How about making the hub (I assume this is only used by automated processes > > and not manually) listen on a different port than 443? Then the web interface > > could use the new well know certificate. The automated processes the internal > > ones, where imho using a own ca does not hurt. Also using a different port > > should be only a matter of configuring it once. > > The secondary arch instances could then use a cacert[0] certificate, which are > > free and are trusted by some browsers already for the web interface. > > The Koji cli communicates with the hub for all operations, so it would > require everyone to update their Koji config. In addition, I'm sure > running ssl on a non-standard port would mess with some people's > proxy/firewall setups. I don't think this is the best solution. > It's really not that we don't want to do this. It's a lot of work with high potential for breakage and annoyance to everyone and the benefit to most people is unclear. -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
