On Wed, 2014-10-15 at 12:28 +0200, Vít Ondruch wrote: > Nevertheless, I am still unsure how to proceed with RubyGems. Should I > ship the bundled certificates again? Or should I wait until somebody > notices? Sorry for my late reply, because I didn't have a good suggestion earlier. We should work with the upstream OpenSSL and the GnuTLS projects, and motivate them to implement more advanced path building. This would be a long term project. For the short term, I'd like to suggest the following strategy: All legacy root CA certificates, which seem to be required for full compatibility with either OpenSSL or GnuTLS, will continue to be included and enabled in the ca-certificates package. For users who are willing to accept the breakage and prefer using the latest trust, only, we provide a mechanism to disable the legacy trust. I've described the proposed approach in more detail at https://bugzilla.redhat.com/show_bug.cgi?id=1158197 I've pushed experimental packages with this implementation to Rawhide and updates-testing for Fedora 21. I have disabled the karma automatism, because I'll be offline for the next 2 weeks, and don't want things to go live while I'm away. I think it will be helpful to collect test feedback during that time, and see if it's suitable, and make a ship/no-ship decision of this approach later. So, to answer Vít's original question: I'd prefer if RubyGems didn't ship its own copy. I think our recent achievement that all software packages on a system use the same (default) set of trusted CA certificates is a good improvement, and I think we should keep it. Thanks Kai -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
