On Fri, 2014-11-21 at 14:03 +0100, Kai Engert wrote: > On Fri, 2014-10-31 at 14:05 +0100, Kai Engert wrote: > > All legacy root CA certificates, which seem to be required for full > > compatibility with either OpenSSL or GnuTLS, will continue to be > > included and enabled in the ca-certificates package. > > > > For users who are willing to accept the breakage and prefer using the > > latest trust, only, we provide a mechanism to disable the legacy trust. > > > > I've described the proposed approach in more detail at > > https://bugzilla.redhat.com/show_bug.cgi?id=1158197 > > > > I've pushed experimental packages with this implementation to Rawhide > > and updates-testing for Fedora 21. I have disabled the karma automatism, > > because I'll be offline for the next 2 weeks, and don't want things to > > go live while I'm away. I think it will be helpful to collect test > > feedback during that time, and see if it's suitable, and make a > > ship/no-ship decision of this approach later. > > > In the meantime, while I was on vacation, the above has been > (accidentally) pushed as a stable update for Fedora 21 already: > ca-certificates-2014.2.1-1.5.fc21.noarch > > It seems it will be included in the final release of Fedora 21. Given > that we keep legacy trust enabled, and given that I haven't seen any > problem reports, it's probably OK. > > Using the new ca-legacy utility, users/administrators who are willing to > accept the compatibility issues and who prefer to closely follow the > Mozilla CA trust decisions, can disable trust for the legacy root CA > certificates as a systemwide configuration, by executing this command as > root: > ca-legacy disable > > The configuration will be remembered in /etc/pki/ca-trust/ca-legacy.conf > and will be used on future package upgrades, when additional > certificates are moved to the legacy state. > > If required, it's possible to undo the configuration and restore to the > current default, using: > ca-legacy enable > > The current configuration can be shown using: > ca-legacy check > > Regarding Fedora 19 and Fedora 20: > > On F19/F20, GnuTLS is also affected by the breakage, when disabling > trust for the legacy CAs, because GnuTLS has been enhanced in Fedora 21 > and later, only. > > Updated packages for F19 and F20, that provide the update to version 2.1 > of the ca-certificates list, and which also include the new ca-legacy > utility and configuration mechanism, have been pushed to > updates-testing: > https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19 > https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20 > > Kai > > Kai, this is very important information buried at the bottom of a long email thread; would you mind re-sending this summary in a new thread (also to devel-announce) so that people are sure to see it?
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
