On Tue, Dec 13, 2016, at 10:53 PM, Kevin Fenzi wrote: > FYI, I marked this thread to reply to, but I simply have not had time > lately with last week on site at the datacenter and this weekend > prepping for the flag day and this week helping people with fallout > from the flag day. > > I'll try and get back to this this week, but please have some patience. That's fine! This seems like something we can get done if someone has a chance to focus on it for a day or two. To summarize then, my understanding is: - Fedora chooses 1-2 other CA providers to use as backup, and acquires certs from those providers for at least: * mirrors.fedoraproject.org * kojipkgs.fedoraproject.org (Or maybe it's simpler to just do all of *fedoraproject.org, either way) - I will take care of prepping a patch for just the ostree portion of Atomic Host to use this configuration - We'll create a wiki page collaboratively describing this, and post to fedora-devel how to enable it with the rpm-md configuration, and have interested testers try it - At some point later, we change the fedora-repos package to enable that configuration by default One thing this likely will break is people who run things like `sed -i -e s,baseurl=.*,http://myinternalmirror.corp.example.com /etc/yum.repos.d/fedora.repo`, but I think we'll get past those types of minor things over time; the security win is worth it. _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
