No edit summary |
No edit summary |
||
Line 120: | Line 120: | ||
== Contingency Plan == | == Contingency Plan == | ||
* Contingency mechanism: We will postpone the change if majority or critical package owners will be unable to make appropriate changes. | |||
* Contingency deadline: before end of beta freeze(2025-02-18). | |||
* Contingency mechanism: | * Blocks release? The feature doesn't block release. | ||
* Contingency deadline: | |||
* Blocks release? | |||
== Documentation == | == Documentation == | ||
<!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | <!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. --> | ||
The change is documented as a part of ca-certificates changelog. | |||
== Release Notes == | == Release Notes == | ||
The /etc/pki/tls/cert.pem file is deprecated use . | |||
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are at https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/ --> | <!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are at https://docs.fedoraproject.org/en-US/fedora/latest/release-notes/ --> | ||
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this change, indicate them here. A link to upstream documentation will often satisfy this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. | <!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this change, indicate them here. A link to upstream documentation will often satisfy this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. |
Revision as of 10:51, 25 September 2024
dropping Of cert.pem File
Summary
In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default.
Owner
- Name: František Krenželok
- Email: fkrenzel@redhat.com
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-09-25
- [Announced]
- [<will be assigned by the Wrangler> Discussion thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
In order to improve the loading time of OpenSSL a directory-hash support was added to ca-certificates. In order for OpenSSL to use the directory-hash format by default we need to stop in from trying to load /etc/pki/tls/cert.pem by deleting it.
Feedback
Benefit to Fedora
Applications using OpenSSL(possibly other libraries as well) will benefit from much faster initialization of OpenSSL.
Scope
- Proposal owners:
The change is already in the rawhide
- Other developers:
Any package loading the root certificates from /etc/pki/tls/cert.pem
file need to preferably use the defaults of the library or if they must, use the /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
file instead.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
Early Testing (Optional)
Do you require 'QA Blueprint' support? Y/N
How To Test
User Experience
Dependencies
Contingency Plan
- Contingency mechanism: We will postpone the change if majority or critical package owners will be unable to make appropriate changes.
- Contingency deadline: before end of beta freeze(2025-02-18).
- Blocks release? The feature doesn't block release.
Documentation
The change is documented as a part of ca-certificates changelog.
Release Notes
The /etc/pki/tls/cert.pem file is deprecated use .