On Wed, 14 Dec 2016 09:16:47 -0500 Colin Walters <walters@xxxxxxxxxx> wrote: > On Tue, Dec 13, 2016, at 10:53 PM, Kevin Fenzi wrote: > > FYI, I marked this thread to reply to, but I simply have not had > > time lately with last week on site at the datacenter and this > > weekend prepping for the flag day and this week helping people with > > fallout from the flag day. > > > > I'll try and get back to this this week, but please have some > > patience. > > That's fine! This seems like something we can get done if someone has > a chance to focus on it for a day or two. yeah. > > To summarize then, my understanding is: > > - Fedora chooses 1-2 other CA providers to use as backup, and acquires > certs from those providers for at least: > * mirrors.fedoraproject.org > * kojipkgs.fedoraproject.org > (Or maybe it's simpler to just do all of *fedoraproject.org, > either way) Yep. > - I will take care of prepping a patch for just the ostree portion of > Atomic Host to use this configuration > - We'll create a wiki page collaboratively describing this, and > post to fedora-devel how to enable it with the rpm-md > configuration, and have interested testers try it > > - At some point later, we change the fedora-repos package to enable > that configuration by default Did you hear back from the dnf/librepo folks? Is there a ticket or email thread I can follow along for their side of things? I'll fire off some emails here to figure out what other CA we could use and how (our current approved process is to get them all via digicert, so we need to find out a new process), as well as run it by infosec folks to make sure we didn't forget anything. > One thing this likely will break is people who run things like > `sed -i -e > s,baseurl=.*,http://myinternalmirror.corp.example.com /etc/yum.repos.d/fedora.repo`, > but I think we'll get past those types of minor things over time; the > security win is worth it. Yeah, I think we cant worry too much about those cases, and I think they are pretty small these days. kevin
Attachment:
pgp_Lk8cS76bg.pgp
Description: OpenPGP digital signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
