Feature changed by: Michael Calmer (mcalmer) Feature #319119, revision 5 Title: drop not functional yast2-ca-management Requested by: Michael Calmer (mcalmer) Partner organization: openSUSE.org Description: yast2 ca-management cannot be maintained anymore. No resources. So let's drop it. This include libcamgm as well. + Discussion: + #1: Michael Calmer (mcalmer) (2015-10-14 15:00:45) + Maybe the YaST Team wants to take over the full maintenance. If yes, + please speak up. -- openSUSE Feature: https://features.opensuse.org/319119

Feature changed by: Bruno Friedmann (bruno_friedmann) Feature #319119, revision 7 Title: drop not functional yast2-ca-management Requested by: Michael Calmer (mcalmer) Partner organization: openSUSE.org Description: yast2 ca-management cannot be maintained anymore. No resources. So let's drop it. This include libcamgm as well. Discussion: #1: Michael Calmer (mcalmer) (2015-10-14 15:00:45) Maybe the YaST Team wants to take over the full maintenance. If yes, please speak up. #2: Lukas Ocilka (locilka) (2015-10-14 15:49:25) (reply to #1) No, we don't, we actually can't take it as we are out of our capacities already and don't have the knowledge anyway. The problem is, that the amount of work we take care about raises faster than the amount of developers assigned to these tasks. + #3: Bruno Friedmann (bruno_friedmann) (2015-10-14 17:16:49) + Did you mean there will be no ca management nor for openSUSE nor for + SLE ? + How rude is it. -- openSUSE Feature: https://features.opensuse.org/319119

Feature changed by: Jiri Srain (jsrain) Feature #319119, revision 11 Title: drop not functional yast2-ca-management + Requested by: Jiri Srain (jsrain) Requested by: Michael Calmer (mcalmer) Partner organization: openSUSE.org Description: yast2 ca-management cannot be maintained anymore. No resources. So let's drop it. This include libcamgm as well. Discussion: #1: Michael Calmer (mcalmer) (2015-10-14 15:00:45) Maybe the YaST Team wants to take over the full maintenance. If yes, please speak up. #2: Lukas Ocilka (locilka) (2015-10-14 15:49:25) (reply to #1) No, we don't, we actually can't take it as we are out of our capacities already and don't have the knowledge anyway. The problem is, that the amount of work we take care about raises faster than the amount of developers assigned to these tasks. #3: Bruno Friedmann (bruno_friedmann) (2015-10-14 17:16:49) Did you mean there will be no ca management nor for openSUSE nor for SLE ? How rude is it. #4: Howard Guo (guohouzuo) (2015-10-20 14:04:53) I really liked the CA module :( 90% of the time it works every time. It's really useful and works very well with FreeIPA. -- openSUSE Feature: https://features.opensuse.org/319119

Feature changed by: Michael Calmer (mcalmer) Feature #319119, revision 18 - Title: drop not functional yast2-ca-management + Title: replace yast2-ca-management or drop it if not needed Requested by: Jiri Srain (jsrain) Requested by: Michael Calmer (mcalmer) Partner organization: openSUSE.org Description: yast2 ca-management is a wild combination of yast(ruby) yast (perl) c++ (swig) and and c++ lib. The main component is the libcamgm which is in C++. This lib is unmaintained since years and has a lot of downsides which can only be fixed with spending a lot of time in development into it * not FIPS compliant. It uses a lot of algorythms which are in the meantime defined as insecure and not available anymore if you turn on FIPS mode * RSA only: the lib support only RSA keys. New keys, like DSA or Elliptic Curve Keys are not supported and requires a lot of new implementation to add support for it. * openssl changes a lot: the commandline tools of openssl are not "stable". Every new version we detect something which is not working anymore and the libary needs adaption. * support for new algorythms missing / not tested: not sure if sha256 is correctly working with this lib The number of bug reports from the Enterprise customers was very low. I only had some from the openSUSE comunity. Enterprise Customers either buy there certificates at some Authority or they use other tools to manage PKIs like OpenCA. Another point is, that the yast team tries to remove the language zoo and concentrate on one programming language. With ruby, perl and c++ this module uses at least 1 too much. We should think about alternatives for yast2-ca-managent or find resources to invest in some extra development if we want to keep it for SLES13. Discussion: #1: Michael Calmer (mcalmer) (2015-10-14 15:00:45) Maybe the YaST Team wants to take over the full maintenance. If yes, please speak up. #2: Lukas Ocilka (locilka) (2015-10-14 15:49:25) (reply to #1) No, we don't, we actually can't take it as we are out of our capacities already and don't have the knowledge anyway. The problem is, that the amount of work we take care about raises faster than the amount of developers assigned to these tasks. #3: Bruno Friedmann (bruno_friedmann) (2015-10-14 17:16:49) Did you mean there will be no ca management nor for openSUSE nor for SLE ? How rude is it. #4: Howard Guo (guohouzuo) (2015-10-20 14:04:53) I really liked the CA module :( 90% of the time it works every time. It's really useful and works very well with FreeIPA. -- openSUSE Feature: https://features.opensuse.org/319119

Feature changed by: Matthias Eckermann (mge1512) Feature #319119, revision 25 Title: replace yast2-ca-management or drop it if not needed Requested by: Jiri Srain (jsrain) Requested by: Michael Calmer (mcalmer) Partner organization: openSUSE.org Description: yast2 ca-management is a wild combination of yast(ruby) yast (perl) c++ (swig) and and c++ lib. The main component is the libcamgm which is in C++. This lib is unmaintained since years and has a lot of downsides which can only be fixed with spending a lot of time in development into it * not FIPS compliant. It uses a lot of algorythms which are in the meantime defined as insecure and not available anymore if you turn on FIPS mode * RSA only: the lib support only RSA keys. New keys, like DSA or Elliptic Curve Keys are not supported and requires a lot of new implementation to add support for it. * openssl changes a lot: the commandline tools of openssl are not "stable". Every new version we detect something which is not working anymore and the libary needs adaption. * support for new algorythms missing / not tested: not sure if sha256 is correctly working with this lib The number of bug reports from the Enterprise customers was very low. I only had some from the openSUSE comunity. Enterprise Customers either buy there certificates at some Authority or they use other tools to manage PKIs like OpenCA. Another point is, that the yast team tries to remove the language zoo and concentrate on one programming language. With ruby, perl and c++ this module uses at least 1 too much. We should think about alternatives for yast2-ca-managent or find resources to invest in some extra development if we want to keep it for SLES13. Discussion: #1: Michael Calmer (mcalmer) (2015-10-14 15:00:45) Maybe the YaST Team wants to take over the full maintenance. If yes, please speak up. #2: Lukas Ocilka (locilka) (2015-10-14 15:49:25) (reply to #1) No, we don't, we actually can't take it as we are out of our capacities already and don't have the knowledge anyway. The problem is, that the amount of work we take care about raises faster than the amount of developers assigned to these tasks. #3: Bruno Friedmann (bruno_friedmann) (2015-10-14 17:16:49) Did you mean there will be no ca management nor for openSUSE nor for SLE ? How rude is it. #4: Howard Guo (guohouzuo) (2015-10-20 14:04:53) I really liked the CA module :( 90% of the time it works every time. It's really useful and works very well with FreeIPA. #10: Bruno Friedmann (bruno_friedmann) (2017-03-05 10:19:22) How hard is to create a path to migrate from yast2-ca-management (nice tools used since years) to openCA ? If we want to drop it, as we don't know how much users are using it, we should at least have a migration path documented. With the arguments given (especially the security implication), it's seems to be clear that the tools is having (had?) its eol soon. + #12: Matthias Eckermann (mge1512) (2017-04-04 00:38:46Z) (reply to + #10) + The integration aspect with other YaST module would get lost by moving to + any other solution, thus dropping this remains rejected for SLE 13. -- openSUSE Feature: https://features.opensuse.org/319119

Feature changed by: Matthias Eckermann (mge1512) Feature #319119, revision 30 Title: replace yast2-ca-management or drop it if not needed Requested by: Jiri Srain (jsrain) Requested by: Michael Calmer (mcalmer) Partner organization: openSUSE.org Description: yast2 ca-management is a wild combination of yast(ruby) yast (perl) c++ (swig) and and c++ lib. The main component is the libcamgm which is in C++. This lib is unmaintained since years and has a lot of downsides which can only be fixed with spending a lot of time in development into it * not FIPS compliant. It uses a lot of algorythms which are in the meantime defined as insecure and not available anymore if you turn on FIPS mode * RSA only: the lib support only RSA keys. New keys, like DSA or Elliptic Curve Keys are not supported and requires a lot of new implementation to add support for it. * openssl changes a lot: the commandline tools of openssl are not "stable". Every new version we detect something which is not working anymore and the libary needs adaption. * support for new algorythms missing / not tested: not sure if sha256 is correctly working with this lib The number of bug reports from the Enterprise customers was very low. I only had some from the openSUSE comunity. Enterprise Customers either buy there certificates at some Authority or they use other tools to manage PKIs like OpenCA. Another point is, that the yast team tries to remove the language zoo and concentrate on one programming language. With ruby, perl and c++ this module uses at least 1 too much. We should think about alternatives for yast2-ca-managent or find resources to invest in some extra development if we want to keep it for SLES13. + Business case (Partner benefit): + openSUSE.org: CGL certification. Discussion: #1: Michael Calmer (mcalmer) (2015-10-14 15:00:45) Maybe the YaST Team wants to take over the full maintenance. If yes, please speak up. #2: Lukas Ocilka (locilka) (2015-10-14 15:49:25) (reply to #1) No, we don't, we actually can't take it as we are out of our capacities already and don't have the knowledge anyway. The problem is, that the amount of work we take care about raises faster than the amount of developers assigned to these tasks. #3: Bruno Friedmann (bruno_friedmann) (2015-10-14 17:16:49) Did you mean there will be no ca management nor for openSUSE nor for SLE ? How rude is it. #4: Howard Guo (guohouzuo) (2015-10-20 14:04:53) I really liked the CA module :( 90% of the time it works every time. It's really useful and works very well with FreeIPA. #10: Bruno Friedmann (bruno_friedmann) (2017-03-05 10:19:22) How hard is to create a path to migrate from yast2-ca-management (nice tools used since years) to openCA ? If we want to drop it, as we don't know how much users are using it, we should at least have a migration path documented. With the arguments given (especially the security implication), it's seems to be clear that the tools is having (had?) its eol soon. #12: Matthias Eckermann (mge1512) (2017-04-04 00:38:46Z) (reply to #10) The integration aspect with other YaST module would get lost by moving to any other solution, thus dropping this remains rejected for SLE 13. #13: Marcus Meissner (msmeissn) (2017-04-04 14:38:08Z) (a replacement might be FreeIPA ... but we so far not have it in Factory) -- openSUSE Feature: https://features.opensuse.org/319119