Random thoughts/crazy idea: Drop SSL certs
Peter Robinson
pbrobinson at gmail.com
Mon Apr 27 16:57:19 UTC 2015
On Mon, Apr 27, 2015 at 5:43 PM, Dennis Gilmore <dennis at ausil.us> wrote:
> On Monday, April 27, 2015 03:45:00 PM Pierre-Yves Chibon wrote:
>> Good morning everyone,
>>
>> This week-end I had a random thought, which I quickly discussed with Dennis
>> on IRC on Sunday but that I thought might be interesting to discuss in a
>> wider audience.
>>
>> The initial thought came from a text that Dennis wrote:
>> """
>> Releng tracks this data in 2 systems, 1 of which we own: Koji and Bodhi.
>> Koji uses ssl certs tied to FAS and bodhi uses FAS for authentication to
>> provide a strong relationship between a user and the content
>> """
>> Source:
>> https://fedoraproject.org/wiki/ReleaseEngineering/Philosophy#Auditable
>>
>> This has lead me to the question: Is this all what SSL certs are bringing
>> us?
>
> It does a two way authentication/authorisation. apache on the server side
> validates that the cert is signed by our CA and not revoked. while on the
> client side koji at least. I would need to double check that fedpkg does for
> lookaside cache, verifies that that server cert is signed by the appropriate
> CA and is not revoked also.
https://github.com/release-engineering/dist-git
Good overview there. To quote "The client authenticates with an ssh
certificate for git communication and with an http client certificate
for uploads to the lookaside cache." but it seems the comms is in rpkg
dep of fedpkg (or aren't we using a fedpkg with rpkg support yet?).
Peter
More information about the rel-eng
mailing list