On Tue, Dec 13, 2016, at 10:53 PM, Kevin Fenzi wrote:
FYI, I marked this thread to reply to, but I simply have not had
lately with last week on site at the datacenter and this weekend
prepping for the flag day and this week helping people with fallout
from the flag day.
I'll try and get back to this this week, but please have some patience.
That's fine! This seems like something we can get done if someone has
a chance to focus on it for a day or two.
To summarize then, my understanding is:
- Fedora chooses 1-2 other CA providers to use as backup, and acquires
certs from those providers for at least:
(Or maybe it's simpler to just do all of *fedoraproject.org, either way)
- I will take care of prepping a patch for just the ostree portion of
Atomic Host to use this configuration
- We'll create a wiki page collaboratively describing this, and
post to fedora-devel how to enable it with the rpm-md configuration,
and have interested testers try it
- At some point later, we change the fedora-repos package to enable
that configuration by default
One thing this likely will break is people who run things like
`sed -i -e s,baseurl=.*,http://myinternalmirror.corp.example.com
but I think we'll get past those types of minor things over time;
the security win is worth it.