On 04/04/2013 09:14 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> Hello, >> >> These patches convert selfsign masters to CA-less on upgrade, and remove >> all selfsign-related code >> >> The files the CA uses are left around for admins to pick up cert >> management manually. Instructions for that are provided in the design >> document. They pretty much just document what the selfsign CA did. >> Removing the automation may seem like a step backwards, but when the >> steps are just a wiki page, the admins can adjust for their needs (e.g. >> issue wildcart certs). For an automated solution we have Dogtag. >> >> Design: http://freeipa.org/page/V3/Drop_selfsign_functionality >> Ticket: https://fedorahosted.org/freeipa/ticket/3494 >> >> (Note that removing the --selfsign *option*, not functionality, has a >> separate ticket and design doc.) > > As I've been looking at this I'm having some reservations about this. It is > going to remove functionality from a running server. And once gone I don't > think one could easily get it back. > > I guess I'd be fine deprecating it and no longer providing any support, and > strongly recommending that people move away from it, but dropping it > mid-release seems rather strict. > > rob
I am thinking that keeping the nonfunctional selfsign code would rather create mess, I would personally tend to removing that in 3.2. As this patch also converts selfsign installations to CA-less, current selfsign installation would still work - except creating replicas where people would need to generate certs for the replica. I also did not see much resistance or concerns when Petr sent a Heads-up mail to freeipa-users (but of course, not every our user reads that). https://www.redhat.com/archives/freeipa-users/2013-March/msg00235.html Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel