[oi-dev] removal of root CA certs from illumos-gate

Adam Števko adam.stevko at gmail.com
Fri Nov 23 22:23:29 UTC 2012


Hi,

I dealt with this issue. I prepared a package with removed certificates, should be ready in the repository for the next OpenIndiana release.

Cheers,

Adam

On Nov 2, 2012, at 11:19 PM, Paul B. Henson <henson at acm.org> wrote:

> illumos-gate currently includes root CA certificates, inherited from opensolaris. No one has been maintaining them, and the collection is currently stale to at least some degree. After some discussion, it seemed the best approach was to remove the certificates from illumos-gate and have distributions determine their own certificate policy and bundle them as deemed appropriate.
> 
> It was decided this would be a flag day, as anything depending on the illumos-gate provided certificates might break if replacement ones weren't installed at the same time.
> 
> There's a webrev of the intended changeset available at:
> 
> 	http://www.csupomona.edu/~henson/tmp/3310-webrev/
> 
> There are two scenarios to consider. The first are your users upgrading via pkg. For OS suplied packages, presumably there should be no noticeable impact in this scenario, as they would be released in synchronization, with whatever mechanism you decide upon to replace the illumos-gate provided certificates being delivered at the same time as the changes removing them. Any locally compiled packages or other uses of the certificates could potentially be impacted if you do not deliver the replacements in the same spot, and presumably there would be a release note in that case.
> 
> The other scenario are people running OI and updating via onu. Those users should (hopefully) be paying attention to flag day announcements. We plan to create a tarball of the certificates that will be removed and make it available so they could be temporarily replaced if necessary for a particular user pending a longer-term solution for their specific use case.
> 
> Are there any concerns/questions about this?
> 
> Thanks...
> 
> _______________________________________________
> oi-dev mailing list
> oi-dev at openindiana.org
> http://openindiana.org/mailman/listinfo/oi-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4804 bytes
Desc: not available
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20121123/1d0879cc/attachment-0005.bin>


More information about the oi-dev mailing list