ca-certificates 2014.2.1 will remove several still valid CA certificates with weak keys

Nikos Mavrogiannopoulos nmav at redhat.com
Fri Oct 31 14:00:16 UTC 2014


On Fri, 2014-10-31 at 14:05 +0100, Kai Engert wrote:
> On Wed, 2014-10-15 at 12:28 +0200, Vít Ondruch wrote:
> > Nevertheless, I am still unsure how to proceed with RubyGems. Should I
> > ship the bundled certificates again? Or should I wait until somebody
> > notices?
> 
> Sorry for my late reply, because I didn't have a good suggestion
> earlier.
> 
> We should work with the upstream OpenSSL and the GnuTLS projects, and
> motivate them to implement more advanced path building. This would be a
> long term project.

Is there some issue with gnutls in F21? As far as I understand it should
work as expected with the certificates removed.

> So, to answer Vít's original question:
> I'd prefer if RubyGems didn't ship its own copy. I think our recent
> achievement that all software packages on a system use the same
> (default) set of trusted CA certificates is a good improvement, and I
> think we should keep it.

More than agree. No package should try provide "better" defaults than
the shipped ca-certificates, not only because it won't be better, but
because this is system configuration which administrators can and _do_
change. 

regards,
Nikos




More information about the devel mailing list