Hi, I dealt with this issue. I prepared a package with removed certificates, should be ready in the repository for the next OpenIndiana release.
Cheers, Adam On Nov 2, 2012, at 11:19 PM, Paul B. Henson <[email protected]> wrote: > illumos-gate currently includes root CA certificates, inherited from > opensolaris. No one has been maintaining them, and the collection is > currently stale to at least some degree. After some discussion, it seemed the > best approach was to remove the certificates from illumos-gate and have > distributions determine their own certificate policy and bundle them as > deemed appropriate. > > It was decided this would be a flag day, as anything depending on the > illumos-gate provided certificates might break if replacement ones weren't > installed at the same time. > > There's a webrev of the intended changeset available at: > > http://www.csupomona.edu/~henson/tmp/3310-webrev/ > > There are two scenarios to consider. The first are your users upgrading via > pkg. For OS suplied packages, presumably there should be no noticeable impact > in this scenario, as they would be released in synchronization, with whatever > mechanism you decide upon to replace the illumos-gate provided certificates > being delivered at the same time as the changes removing them. Any locally > compiled packages or other uses of the certificates could potentially be > impacted if you do not deliver the replacements in the same spot, and > presumably there would be a release note in that case. > > The other scenario are people running OI and updating via onu. Those users > should (hopefully) be paying attention to flag day announcements. We plan to > create a tarball of the certificates that will be removed and make it > available so they could be temporarily replaced if necessary for a particular > user pending a longer-term solution for their specific use case. > > Are there any concerns/questions about this? > > Thanks... > > _______________________________________________ > oi-dev mailing list > [email protected] > http://openindiana.org/mailman/listinfo/oi-dev
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ oi-dev mailing list [email protected] http://openindiana.org/mailman/listinfo/oi-dev
