[openFATE 306373] revival of openCA
Feature added by: Stephan Kulow (coolo) Feature #306373, revision 1, last change by Title: revival of openCA openSUSE-11.2: Unconfirmed Priority Requester: Important Requested by: Hans Witvliet (digi_hans) Description: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3 Any chance of reviving OpenCA? In the security manuals, chapter x509, it says that the yast-module for maintaing certificates is nice for small set-up's, but not intented for large roll-outs. OpenCA seems to be right for that job, with (poosible) seperate CA, RA, OSCP, support for smartcards and LDAP, mysql. If i'm not mistaken, Adrian maintained some time ago an old version of OpenCA for openSuSE_10.3. Hence my question: is it possible to re-create it for the 1.0.2 (ten-ten) version of openCA, preferably for openSUSE_11.1 and SLES-11 ? It seems that current verion of OpenCA does build on older versions of openSUSE, but fails to compile on 11.1. (not yet tried on sles11, but expect same results) Relations: - revival of openCA (novell/bugzilla/id: 491024) https://bugzilla.novell.com/show_bug.cgi?id=491024 Discussion: #1: Stephan Kulow (coolo) (2009-04-08 09:11:05) if you can't even get it to compile, it doesn't seem to be that well maintained. So I would think it's not good to rely on security of it. #2: Hans Witvliet (digi_hans) (2009-04-08 16:19:04) To put in perspective... I couldn't complete a compile of the latest version on 11.1. openca offers binaries for fedora, centos, ubuntu and open slowaris. I just tried it on 32/64-bit versions of 11.1, I can try it aagain on older versions. Allthough i just upgraded our whole environment, using our install server with xen farm wouldn't take too long. At work i've got a tough job keeping all the noses point to one direction. But it would be hard to defend sticking with open/sles with considerable effort if it compiles flawless (I kow: seeing is believing..) with others. It seems that OpenCA is the only opensource product in this class, comparing with CASA, yaST, tinyCA, pyCA that are only intended for small scale deployment. And for this particular assigment was specifically asked to evaluate OpenCA, regardless of the environment it runs in, though my first choice would be a sles11-cluster and secondly an open-11.1 cluster. #3: Stephan Kulow (coolo) (2009-04-08 23:58:21) you have two options: a) the openSUSE way: you're free to maintain it in openSUSE:Factory:Contrib (see en.opensuse.org/Contrib) b) the SLES way: you convince your presales contact person that there is no way around The "file an enhancement bug against openSUSE to get a SLES feature" does not work. #4: Hans Witvliet (digi_hans) (2009-04-09 15:22:41) Sorry, if i gave you the wrong impression. imho, openca looks great (from the docu and the live-version) It used to be included 10.0 - 10.3 with the distro itself, and later on it became also available on the OBS (Adrian). I presume that if you got someone who has spent some time before on it, it would be the first one to humbly ask to have a look again, instead of re-inventing the wheel. Personnaly, i work on the R&D department, only doing prototypes and prove-of-concepts and i am happy using openSuSE. Our production department however is using the official SLES-9 and now SLES-10 version. a) So if there is a version on the OBS for open_11.1 i would be happy. b) If it could be incorporated in the list of packages for SLE it would make you happy (sales) c) If the OBS could hold versions for 11.1 and SLE, you would be happier, (sales but no additional packages to officially maintain) Final word about the code: Yes, it is _old_ code, but the only thing that comes close with regards with its features, is the code that comes from AOL: http://www.redhat.com/certificate_system/ And i'm neither eager to switch to rh/fc/ct, nor to suggest a re-write of the 10MB from openCA. Hence my req to revive it on the OBS, anyone would benefit. Or do you have plans to "adopt" the above mentioned GPL-ed java code ;=) -- openSUSE Feature: https://features.opensuse.org/306373
Feature changed by: Stephan Kulow (coolo) Feature #306373, revision 2 Title: revival of openCA openSUSE-11.2: Unconfirmed Priority Requester: Important Requested by: Hans Witvliet (digi_hans) Description: - User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) - Gecko/20060425 SUSE/1.5.0.3-7 Firefox/1.5.0.3 Any chance of reviving OpenCA? In the security manuals, chapter x509, it says that the yast-module for maintaing certificates is nice for small set-up's, but not intented for large roll-outs. OpenCA seems to be right for that job, with (poosible) seperate CA, RA, OSCP, support for smartcards and LDAP, mysql. If i'm not mistaken, Adrian maintained some time ago an old version of OpenCA for openSuSE_10.3. Hence my question: is it possible to re- create it for the 1.0.2 (ten-ten) version of openCA, preferably for openSUSE_11.1 and SLES-11 ? It seems that current verion of OpenCA does build on older versions of openSUSE, but fails to compile on 11.1. (not yet tried on sles11, but expect same results) Relations: - revival of openCA (novell/bugzilla/id: 491024) https://bugzilla.novell.com/show_bug.cgi?id=491024 Discussion: #1: Stephan Kulow (coolo) (2009-04-08 09:11:05) if you can't even get it to compile, it doesn't seem to be that well maintained. So I would think it's not good to rely on security of it. #2: Hans Witvliet (digi_hans) (2009-04-08 16:19:04) To put in perspective... I couldn't complete a compile of the latest version on 11.1. openca offers binaries for fedora, centos, ubuntu and open slowaris. I just tried it on 32/64-bit versions of 11.1, I can try it aagain on older versions. Allthough i just upgraded our whole environment, using our install server with xen farm wouldn't take too long. At work i've got a tough job keeping all the noses point to one direction. But it would be hard to defend sticking with open/sles with considerable effort if it compiles flawless (I kow: seeing is believing..) with others. It seems that OpenCA is the only opensource product in this class, comparing with CASA, yaST, tinyCA, pyCA that are only intended for small scale deployment. And for this particular assigment was specifically asked to evaluate OpenCA, regardless of the environment it runs in, though my first choice would be a sles11-cluster and secondly an open-11.1 cluster. #3: Stephan Kulow (coolo) (2009-04-08 23:58:21) you have two options: a) the openSUSE way: you're free to maintain it in openSUSE:Factory:Contrib (see en.opensuse.org/Contrib) b) the SLES way: you convince your presales contact person that there is no way around The "file an enhancement bug against openSUSE to get a SLES feature" does not work. #4: Hans Witvliet (digi_hans) (2009-04-09 15:22:41) Sorry, if i gave you the wrong impression. imho, openca looks great (from the docu and the live-version) It used to be included 10.0 - 10.3 with the distro itself, and later on it became also available on the OBS (Adrian). I presume that if you got someone who has spent some time before on it, it would be the first one to humbly ask to have a look again, instead of re-inventing the wheel. Personnaly, i work on the R&D department, only doing prototypes and prove-of-concepts and i am happy using openSuSE. Our production department however is using the official SLES-9 and now SLES-10 version. a) So if there is a version on the OBS for open_11.1 i would be happy. b) If it could be incorporated in the list of packages for SLE it would make you happy (sales) c) If the OBS could hold versions for 11.1 and SLE, you would be happier, (sales but no additional packages to officially maintain) Final word about the code: Yes, it is _old_ code, but the only thing that comes close with regards with its features, is the code that comes from AOL: http://www.redhat.com/certificate_system/ And i'm neither eager to switch to rh/fc/ct, nor to suggest a re-write of the 10MB from openCA. Hence my req to revive it on the OBS, anyone would benefit. Or do you have plans to "adopt" the above mentioned GPL-ed java code ; =) -- openSUSE Feature: https://features.opensuse.org/306373
Feature changed by: Diego Ercolani (dercol) Feature #306373, revision 3 Title: revival of openCA openSUSE-11.2: Unconfirmed Priority Requester: Important Requested by: Hans Witvliet (digi_hans) Description: Any chance of reviving OpenCA? In the security manuals, chapter x509, it says that the yast-module for maintaing certificates is nice for small set-up's, but not intented for large roll-outs. OpenCA seems to be right for that job, with (poosible) seperate CA, RA, OSCP, support for smartcards and LDAP, mysql. If i'm not mistaken, Adrian maintained some time ago an old version of OpenCA for openSuSE_10.3. Hence my question: is it possible to re- create it for the 1.0.2 (ten-ten) version of openCA, preferably for openSUSE_11.1 and SLES-11 ? It seems that current verion of OpenCA does build on older versions of openSUSE, but fails to compile on 11.1. (not yet tried on sles11, but expect same results) Relations: - revival of openCA (novell/bugzilla/id: 491024) https://bugzilla.novell.com/show_bug.cgi?id=491024 Discussion: #1: Stephan Kulow (coolo) (2009-04-08 09:11:05) if you can't even get it to compile, it doesn't seem to be that well maintained. So I would think it's not good to rely on security of it. #2: Hans Witvliet (digi_hans) (2009-04-08 16:19:04) To put in perspective... I couldn't complete a compile of the latest version on 11.1. openca offers binaries for fedora, centos, ubuntu and open slowaris. I just tried it on 32/64-bit versions of 11.1, I can try it aagain on older versions. Allthough i just upgraded our whole environment, using our install server with xen farm wouldn't take too long. At work i've got a tough job keeping all the noses point to one direction. But it would be hard to defend sticking with open/sles with considerable effort if it compiles flawless (I kow: seeing is believing..) with others. It seems that OpenCA is the only opensource product in this class, comparing with CASA, yaST, tinyCA, pyCA that are only intended for small scale deployment. And for this particular assigment was specifically asked to evaluate OpenCA, regardless of the environment it runs in, though my first choice would be a sles11-cluster and secondly an open-11.1 cluster. + #5: Diego Ercolani (dercol) (2009-05-29 17:12:43) (reply to #2) + The problem of the compilation under OpenSuSE 11.1 seems to be the + usage of the "install -c" flag that opensuse simply ignores. The + install procedure wants to create directory structures that are nestes + and so install fails.My workaround is to prepend the 'mkdir -p' call to + install -d.This is the patch: Hope this helps, although I don't know + how to use OpenCA, have you got any good userguide? + --- Makefile.global-vars.in.orig 2009-05-29 16:45:34.000000000 + +0200 + +++ Makefile.global-vars.in 2009-05-29 16:46:04.000000000 +0200 + @@ -137,9 +137,11 @@ + $(MAKE) __install_dir DIR=`dirname $(DIR)`; \ + if test -n "$(MODE)"; then \ + set -x; \ + + mkdir -p $(DIR); \ + $(INSTALL) -d -o $(USER) -g $(GROUP) -m $(MODE) + $(DIR); \ + else \ + set -x; \ + + mkdir -p $(DIR); \ + $(INSTALL) -d -o $(USER) -g $(GROUP) $(DIR); \ + fi; \ + fi; \ #3: Stephan Kulow (coolo) (2009-04-08 23:58:21) you have two options: a) the openSUSE way: you're free to maintain it in openSUSE:Factory:Contrib (see en.opensuse.org/Contrib) b) the SLES way: you convince your presales contact person that there is no way around The "file an enhancement bug against openSUSE to get a SLES feature" does not work. #4: Hans Witvliet (digi_hans) (2009-04-09 15:22:41) Sorry, if i gave you the wrong impression. imho, openca looks great (from the docu and the live-version) It used to be included 10.0 - 10.3 with the distro itself, and later on it became also available on the OBS (Adrian). I presume that if you got someone who has spent some time before on it, it would be the first one to humbly ask to have a look again, instead of re-inventing the wheel. Personnaly, i work on the R&D department, only doing prototypes and prove-of-concepts and i am happy using openSuSE. Our production department however is using the official SLES-9 and now SLES-10 version. a) So if there is a version on the OBS for open_11.1 i would be happy. b) If it could be incorporated in the list of packages for SLE it would make you happy (sales) c) If the OBS could hold versions for 11.1 and SLE, you would be happier, (sales but no additional packages to officially maintain) Final word about the code: Yes, it is _old_ code, but the only thing that comes close with regards with its features, is the code that comes from AOL: http://www.redhat.com/certificate_system/ And i'm neither eager to switch to rh/fc/ct, nor to suggest a re-write of the 10MB from openCA. Hence my req to revive it on the OBS, anyone would benefit. Or do you have plans to "adopt" the above mentioned GPL-ed java code ; =) -- openSUSE Feature: https://features.opensuse.org/306373
Feature changed by: Andreas Jaeger (a_jaeger) Feature #306373, revision 4 Title: revival of openCA - openSUSE-11.2: Unconfirmed + openSUSE-11.2: Rejected by Andreas Jaeger (a_jaeger) + reject date: 2010-11-15 10:28:25 + reject reason: Not done in time for openSUSE 11.2. Priority Requester: Important Requested by: Hans Witvliet (digi_hans) Description: Any chance of reviving OpenCA? In the security manuals, chapter x509, it says that the yast-module for maintaing certificates is nice for small set-up's, but not intented for large roll-outs. OpenCA seems to be right for that job, with (poosible) seperate CA, RA, OSCP, support for smartcards and LDAP, mysql. If i'm not mistaken, Adrian maintained some time ago an old version of OpenCA for openSuSE_10.3. Hence my question: is it possible to re- create it for the 1.0.2 (ten-ten) version of openCA, preferably for openSUSE_11.1 and SLES-11 ? It seems that current verion of OpenCA does build on older versions of openSUSE, but fails to compile on 11.1. (not yet tried on sles11, but expect same results) Relations: - revival of openCA (novell/bugzilla/id: 491024) https://bugzilla.novell.com/show_bug.cgi?id=491024 Discussion: #1: Stephan Kulow (coolo) (2009-04-08 09:11:05) if you can't even get it to compile, it doesn't seem to be that well maintained. So I would think it's not good to rely on security of it. #2: Hans Witvliet (digi_hans) (2009-04-08 16:19:04) To put in perspective... I couldn't complete a compile of the latest version on 11.1. openca offers binaries for fedora, centos, ubuntu and open slowaris. I just tried it on 32/64-bit versions of 11.1, I can try it aagain on older versions. Allthough i just upgraded our whole environment, using our install server with xen farm wouldn't take too long. At work i've got a tough job keeping all the noses point to one direction. But it would be hard to defend sticking with open/sles with considerable effort if it compiles flawless (I kow: seeing is believing..) with others. It seems that OpenCA is the only opensource product in this class, comparing with CASA, yaST, tinyCA, pyCA that are only intended for small scale deployment. And for this particular assigment was specifically asked to evaluate OpenCA, regardless of the environment it runs in, though my first choice would be a sles11-cluster and secondly an open-11.1 cluster. #5: Diego Ercolani (dercol) (2009-05-29 17:12:43) (reply to #2) The problem of the compilation under OpenSuSE 11.1 seems to be the usage of the "install -c" flag that opensuse simply ignores. The install procedure wants to create directory structures that are nestes and so install fails.My workaround is to prepend the 'mkdir -p' call to install -d.This is the patch: Hope this helps, although I don't know how to use OpenCA, have you got any good userguide? --- Makefile.global-vars.in.orig 2009-05-29 16:45:34.000000000 +0200 +++ Makefile.global-vars.in 2009-05-29 16:46:04.000000000 +0200 @@ -137,9 +137,11 @@ $(MAKE) __install_dir DIR=`dirname $(DIR)`; \ if test -n "$(MODE)"; then \ set -x; \ + mkdir -p $(DIR); \ $(INSTALL) -d -o $(USER) -g $(GROUP) -m $(MODE) $(DIR); \ else \ set -x; \ + mkdir -p $(DIR); \ $(INSTALL) -d -o $(USER) -g $(GROUP) $(DIR); \ fi; \ fi; \ #3: Stephan Kulow (coolo) (2009-04-08 23:58:21) you have two options: a) the openSUSE way: you're free to maintain it in openSUSE:Factory:Contrib (see en.opensuse.org/Contrib) b) the SLES way: you convince your presales contact person that there is no way around The "file an enhancement bug against openSUSE to get a SLES feature" does not work. #4: Hans Witvliet (digi_hans) (2009-04-09 15:22:41) Sorry, if i gave you the wrong impression. imho, openca looks great (from the docu and the live-version) It used to be included 10.0 - 10.3 with the distro itself, and later on it became also available on the OBS (Adrian). I presume that if you got someone who has spent some time before on it, it would be the first one to humbly ask to have a look again, instead of re-inventing the wheel. Personnaly, i work on the R&D department, only doing prototypes and prove-of-concepts and i am happy using openSuSE. Our production department however is using the official SLES-9 and now SLES-10 version. a) So if there is a version on the OBS for open_11.1 i would be happy. b) If it could be incorporated in the list of packages for SLE it would make you happy (sales) c) If the OBS could hold versions for 11.1 and SLE, you would be happier, (sales but no additional packages to officially maintain) Final word about the code: Yes, it is _old_ code, but the only thing that comes close with regards with its features, is the code that comes from AOL: http://www.redhat.com/certificate_system/ And i'm neither eager to switch to rh/fc/ct, nor to suggest a re-write of the 10MB from openCA. Hence my req to revive it on the OBS, anyone would benefit. Or do you have plans to "adopt" the above mentioned GPL-ed java code ; =) -- openSUSE Feature: https://features.opensuse.org/306373
participants (1)
-
fate_noreply@suse.de