In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default.
Owners, do not implement this work until the FESCo vote has explicitly ended. The Fedora Program Manager will create a tracking bug in Bugzilla for this Change, which is your indication to proceed. See the FESCo ticket policy and the Changes policy for more information.
REMINDER: This ticket is for FESCo members to vote on the proposal. Further discussion should happen in the Discourse discussion linked above. Additional discussion may happen on the Fedora Devel mailing list.
The discussion on devel@ seems to indicate that this needs to be rethought a little bit: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/NNVFZMRDXNJN6OJE2ZUJ3NWPHUW6EB2F/
devel@
The change proposal was updated and now includes additional files that need to be dropped (one of them being used rarely and the other possibly not at all as it was used by OpenSSL only)
The change now also contain the Feedback section that notes the concerns and possible workarounds mention also in the aforementioned link.
This proposal seems to have been forgotten. Can we get an update on what the current proposal is? I was not a fan of the original plan, because while it may not have been "official", the cert.pem presence has been de facto API for many years.
cert.pem
The proposal is still the same with addition of https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile#Feedback, this is some feedback that was gathered during the discussion clearly stating the pros and cons of the possible alternatives.
For RHEL we are going with this change as it is directly required by a customer request and although there is some work that needs to be done by each and every package affected, the change to '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' will assure compatibility in the years to come.
I am gathering reports of affected packages and contacting their maintainers, so that if this change lands there are not that many package that hit this.
dropping Of cert.pem file
The case is reversed in the title.
I think we need to know the list of packages that are affected. Without that, it's hard to know what the impact is.
There is a partial list of packages there, but it has a bunch of ...'s in the table.
Is there a full list we can generate?
sorry for the confusion, I have been working on the table and the ...'s were placeholders.
I don't personally know the list of all affected packages. I mostly got the information from lbalhar and @churchyard in the https://discussion.fedoraproject.org/t/f42-change-proposal-dropping-of-cert-pem-file-system-wide/135119/10 discussion.
I see no more messages in either here nor in the discussions. Should we move to evaluate this change?
I don't personally know the list of all affected packages.
Usually the Change owner should determine the Scope of their own Change ... though I appreciate that this is hard to do here (other than actually doing the thing) because the usage would often be implicit rather than explicit.
With the information we have, I don't feel confident in approving this (nor rejecting it), so I'm voting ±0.
-1
Considering that the contingency plan should be triggered on or before the 18th of Feb (21 days away), I don't think we have enough time to make this change in an orderly matter for this release, considering that as of today it is not yet clear what are all impacted packages. On the other hand, I would be +1 pushing the change today in F43, so that we are sure we have plenty of time to address the potentially impacted packages
This issue will be discussed at the next meeting on 2025-01-28
Metadata Update from @fale: - Issue tagged with: meeting
On the other hand, I would be +1 pushing the change today in F43, so that we are sure we have plenty of time to address the potentially impacted packages
Should we change the target to 43 now?
APPROVED for F43 (+6, 0, -0)
Metadata Update from @fale: - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
It seems that this Change was partially shipped in Fedora Linux 42, because the ca-bundle.trust.crt file is gone and it broke contributors trying to work in the CentOS Community Build Service Koji instance, as the configuration used by the cbs command used that file.
ca-bundle.trust.crt
cbs
Here's the bug report exemplifying the problem from @sbonazzo: https://bugzilla.redhat.com/2358273
Thanks! for the report. I have just made a bugfix for this(please consider checking the build for karma): https://bodhi.fedoraproject.org/updates/FEDORA-2025-d27d5ffd7a
Is there a tracker bug assigned to this change?
That should all be in place now. F43 changes processing had fallen behind last week with the F42 release, flock support and other personal stuff that I was out of the office for. Changes processing is resuming asap.
On Wed, Apr 16, 2025 at 11:43=E2=80=AFAM Miro Hron=C4=8Dok pagure@pagure.i= o wrote:
churchyard added a new comment to an issue you are following: Is there a tracker bug assigned to this change? To reply, visit the link below or just reply to this email https://pagure.io/fesco/issue/3293
churchyard added a new comment to an issue you are following: Is there a tracker bug assigned to this change?
To reply, visit the link below or just reply to this email https://pagure.io/fesco/issue/3293
--=20
Aoife Moloney
Fedora Operations Architect
Fedora Project
Matrix: @amoloney:fedora.im
IRC: amoloney
Log in to comment on this ticket.