On 12/1/17 2:25 PM, Rajan Halade wrote:
On 12/1/17 10:09 AM, Sean Mullan wrote:
So only the VerifyCACerts test would potentially fail by default (it is part of tier2). If this becomes a big issue, we can follow-up later and investigate more with some sort of fix, but I don't think this should hold up the current fix.
Would it be acceptable if I change blocks at line 227-231 and 234-239 to soft-failures? Essentially then this test will only validate a cert if it is present in keystore. This test is designed to check integrity of cacerts keystore but if we are to allow test to pass with different cacerts specified using --with-cacerts-file then it may be acceptable.

I don't think we should do that. This could more easily allow a non-approved cert to accidentally make its way into the real cacerts keystore without detection.

We can handle the alternate cacerts keystore issue with a better solution later, if necessary.

--Sean

Reply via email to