Re: [Pki-devel] [PATCH] 0017 Enable Authority Key Identifier CRL extension
On 1/8/2015 11:59 AM, Fraser Tweedale wrote:
> Also, since the script changes the CS.cfg, we should advise the
admin to
> shutdown the server first to avoid corrupting the file. See:
> https://fedorahosted.org/pki/ticket/1163
>
I split the patch into the original part and the upgrade script,
pushed the original part (master: 9e8c518), created ticket #1236 to
cover the upgrade aspect and closed #1189.
So more work is needed before the CS.cfg update can happen in a safe
way (#1163 in particular)? I see that those tickets are for 10.3.
This change is non-urgent (after all, noone has complained or
possibly even noticed that the configuration was non-conformant), so
I think it is fine to wait until enough of #1135 and/or #1163 is in
place so that we can do the upgrade safely.
Yeah, it would require some changes to the code to guarantee a safe
CS.cfg modification and we haven't yet decided how to do that properly.
BTW, does this change affect CA only? If that's the case the script
probably should check the subsystem name.
We can also set a default value for this property somewhere else, then
remove this property from CS.cfg in new installations. The upgrade
script later can optionally remove the property from existing CS.cfg if
the admin wants. If the CS.cfg still has that property left, it will
override the default value. That way we will convert most systems to use
the new recommended behavior, but existing behavior can be preserved if
necessary, and we will also incrementally simplify the CS.cfg.
--
Endi S. Dewata