[Freeipa-devel] [DESIGN] Certificate profile update mechanism

Hi all, I've published a draft design for the profile update mechanism. This feature is to ensure that we can safely update included profiles even when we use Dogtag profile components only available in new versions. https://www.freeipa.org/page/V4/Certificate_profile_update_mechanism Interested persons, please review the design. In particular there are two main questions I would like to discuss: 1. We need to store the IPA version in IPA master entries. What should be the schema? https://www.freeipa.org/page/V4/Certificate_profile_update_mechanism#IPA_... 2. How should we deal with customised versions of included profiles? There is a big tradeoff here, of complexity + flexibility vs. simplicitity + reverting customisations to included profiles (and preventing them in future). https://www.freeipa.org/page/V4/Certificate_profile_update_mechanism#Deal... Thanks, Fraser