Once upon a time, Neal Gompa <ngomp...@gmail.com> said: > This file has to remain on the system for a completely different > reason: other crypto libraries may and do probably use this file. It > is unreasonable to delete what essentially is our certificate store > API without going through and fixing *all* crypto libraries and > applications that directly load the CA store themselves to work with > it upstream.
Yeah, there's nothing that says "this file is for OpenSSL's internal use only". I know I've written code that references it. It's /etc/pki/tls, not /etc/openssl-private-nobody-else-use; it gives all appearances of being a shared file. Also, there's not a way to test this (e.g. remove the cert.pem symlink and see what breaks); the change says the speed-up is to use the directory-hash format by default... but there's no hashes in /etc/pki/tls/certs. Something needs to be managing those hashes (creating, updating, deleting stale) BEFORE the bundle can be deprecated. If the hashes directory (once populated) is also going to be considered OpenSSL-only, it should be moved out from under /etc/pki/tls into a directory that is obviously OpenSSL-only. -- Chris Adams <li...@cmadams.net> -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
