[oi-dev] removal of root CA certs from illumos-gate

[Paul B. Henson]

illumos-gate currently includes root CA certificates, inherited from 
opensolaris. No one has been maintaining them, and the collection is 
currently stale to at least some degree. After some discussion, it 
seemed the best approach was to remove the certificates from 
illumos-gate and have distributions determine their own certificate 
policy and bundle them as deemed appropriate.

It was decided this would be a flag day, as anything depending on the 
illumos-gate provided certificates might break if replacement ones 
weren't installed at the same time.

There's a webrev of the intended changeset available at:

	http://www.csupomona.edu/~henson/tmp/3310-webrev/

There are two scenarios to consider. The first are your users upgrading 
via pkg. For OS suplied packages, presumably there should be no 
noticeable impact in this scenario, as they would be released in 
synchronization, with whatever mechanism you decide upon to replace the 
illumos-gate provided certificates being delivered at the same time as 
the changes removing them. Any locally compiled packages or other uses 
of the certificates could potentially be impacted if you do not deliver 
the replacements in the same spot, and presumably there would be a 
release note in that case.

The other scenario are people running OI and updating via onu. Those 
users should (hopefully) be paying attention to flag day announcements. 
We plan to create a tarball of the certificates that will be removed and 
make it available so they could be temporarily replaced if necessary for 
a particular user pending a longer-term solution for their specific use 
case.

Are there any concerns/questions about this?

Thanks...