Re: ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2014-10-15 at 12:28 +0200, Vít Ondruch wrote:
> Nevertheless, I am still unsure how to proceed with RubyGems. Should I
> ship the bundled certificates again? Or should I wait until somebody
> notices?

Sorry for my late reply, because I didn't have a good suggestion
earlier.

We should work with the upstream OpenSSL and the GnuTLS projects, and
motivate them to implement more advanced path building. This would be a
long term project.

For the short term, I'd like to suggest the following strategy:

All legacy root CA certificates, which seem to be required for full
compatibility with either OpenSSL or GnuTLS, will continue to be
included and enabled in the ca-certificates package.

For users who are willing to accept the breakage and prefer using the
latest trust, only, we provide a mechanism to disable the legacy trust.

I've described the proposed approach in more detail at
https://bugzilla.redhat.com/show_bug.cgi?id=1158197

I've pushed experimental packages with this implementation to Rawhide
and updates-testing for Fedora 21. I have disabled the karma automatism,
because I'll be offline for the next 2 weeks, and don't want things to
go live while I'm away. I think it will be helpful to collect test
feedback during that time, and see if it's suitable, and make a
ship/no-ship decision of this approach later.

So, to answer Vít's original question:

I'd prefer if RubyGems didn't ship its own copy. I think our recent
achievement that all software packages on a system use the same
(default) set of trusted CA certificates is a good improvement, and I
think we should keep it.

Thanks
Kai


-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux