Line 7: | Line 7: | ||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
= | = dropping Of cert.pem File <!-- The name of your change proposal --> = | ||
{{Change_Proposal_Banner}} | {{Change_Proposal_Banner}} | ||
== Summary == | == Summary == | ||
In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default. | |||
== Owner == | == Owner == | ||
-- | |||
For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages. | For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages. | ||
This should link to your home wiki page so we know who you are. | This should link to your home wiki page so we know who you are. | ||
--> | --> | ||
* Name: [[User: | * Name: [[User:Fkrenzel| František Krenželok]] | ||
* Email: | * Email: fkrenzel@redhat.com | ||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
Line 35: | Line 35: | ||
<!-- Select proper category, default is Self Contained Change --> | <!-- Select proper category, default is Self Contained Change --> | ||
[[Category:SelfContainedChange]] | <!-- [[Category:SelfContainedChange]] --> | ||
[[Category:SystemWideChange]] | |||
* Targeted release: [https://docs.fedoraproject.org/en-US/releases/ | * Targeted release: [https://docs.fedoraproject.org/en-US/releases/f42/ Fedora Linux 42] | ||
* Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | * Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | ||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | ||
Line 53: | Line 53: | ||
== Detailed Description == | == Detailed Description == | ||
In order to improve the loading time of OpenSSL a directory-hash support was added to ca-certificates. In order for OpenSSL to use the directory-hash format by default we need to stop in from trying to load /etc/pki/tls/cert.pem by deleting it. | |||
== Feedback == | == Feedback == | ||
Line 59: | Line 59: | ||
== Benefit to Fedora == | == Benefit to Fedora == | ||
Applications using OpenSSL(possibly other libraries as well) will benefit from much faster initialization of OpenSSL. | |||
== Scope == | == Scope == | ||
* Proposal owners: | * Proposal owners: | ||
The change is already in the rawhide | |||
* Other developers: | * Other developers: | ||
Any package loading the root certificates from `/etc/pki/tls/cert.pem` file need to preferably use the defaults of the library or if they must, use the `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` file instead. | |||
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> |
Revision as of 09:51, 25 September 2024
dropping Of cert.pem File
Summary
In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default.
Owner
-- For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages. This should link to your home wiki page so we know who you are. -->
- Name: František Krenželok
- Email: fkrenzel@redhat.com
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-09-25
- [Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
In order to improve the loading time of OpenSSL a directory-hash support was added to ca-certificates. In order for OpenSSL to use the directory-hash format by default we need to stop in from trying to load /etc/pki/tls/cert.pem by deleting it.
Feedback
Benefit to Fedora
Applications using OpenSSL(possibly other libraries as well) will benefit from much faster initialization of OpenSSL.
Scope
- Proposal owners:
The change is already in the rawhide
- Other developers:
Any package loading the root certificates from /etc/pki/tls/cert.pem
file need to preferably use the defaults of the library or if they must, use the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
file instead.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
Early Testing (Optional)
Do you require 'QA Blueprint' support? Y/N
How To Test
User Experience
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)