On Mon, 21 Nov 2016 10:16:55 -0500
Colin Walters <walters(a)verbum.org> wrote:
On Fri, Oct 14, 2016, at 08:42 AM, Colin Walters wrote:
> Anyways, there's a higher level question here - you're arguing
> for pinning to Digicert rather than a custom CA. That seems good
> enough, but I think we need a recovery mechanism in case Digicert
> So I'd propose pinning to a 3 set of CAs:
> - Digicert
> - Some other well-regarded CA vendor
> - A Fedora-infra custom CA (doesn't have to be deployed, just a
> backup plan)
Any further thoughts here?
> And as for a specific implementation mechanism, we'd have just
> those CAs in /etc/pki/tls/certs/fedora-infra.crt or so, and that
> file would be in the fedora-repos package. The argument for this
> again is that librepo and ostree already have all of the code for
> this, and so does curl etc.
I suppose thats workable if all the stakeholders agree.
So, we would need:
1. certs in fedora-repos package
2. librepo would need changes to know to check those.
3. ostree would need changes to know to check those.
I've not heard from librepo folks, should we ask them before moving
forward here? fedora-repos would need ack from Dennis (who is currently
on vacation), but I don't think that should be a problem.