Mailinglist Archive: opensuse-features (40 mails)

< Previous Next >
[openFATE 319119] replace yast2-ca-management or drop it if not needed
Feature changed by: Marcus Meissner (msmeissn)
Feature #319119, revision 26
Title: replace yast2-ca-management or drop it if not needed

Requested by: Jiri Srain (jsrain)
Requested by: Michael Calmer (mcalmer)
Partner organization: openSUSE.org

Description:
yast2 ca-management is a wild combination of yast(ruby) yast (perl) c++
(swig) and and c++ lib.
The main component is the libcamgm which is in C++. This lib is
unmaintained since years and has a lot of downsides which can only be
fixed with spending a lot of time in development into it
* not FIPS compliant. It uses a lot of algorythms which are in the
meantime defined as insecure and not available anymore if you turn on
FIPS mode
* RSA only: the lib support only RSA keys. New keys, like DSA or
Elliptic Curve Keys are not supported and requires a lot of new
implementation to add support for it.
* openssl changes a lot: the commandline tools of openssl are not
"stable". Every new version we detect something which is not working
anymore and the libary needs adaption.
* support for new algorythms missing / not tested: not sure if sha256
is correctly working with this lib
The number of bug reports from the Enterprise customers was very low. I
only had some from the openSUSE comunity. Enterprise Customers either
buy there certificates at some Authority or they use other tools to
manage PKIs like OpenCA.
Another point is, that the yast team tries to remove the language zoo
and concentrate on one programming language. With ruby, perl and c++
this module uses at least 1 too much.
We should think about alternatives for yast2-ca-managent or find
resources to invest in some extra development if we want to keep it for
SLES13.

Discussion:
#1: Michael Calmer (mcalmer) (2015-10-14 15:00:45)
Maybe the YaST Team wants to take over the full maintenance. If yes,
please speak up.

#2: Lukas Ocilka (locilka) (2015-10-14 15:49:25) (reply to #1)
No, we don't, we actually can't take it as we are out of our capacities
already and don't have the knowledge anyway. The problem is, that the
amount of work we take care about raises faster than the amount of
developers assigned to these tasks.

#3: Bruno Friedmann (bruno_friedmann) (2015-10-14 17:16:49)
Did you mean there will be no ca management nor for openSUSE nor for
SLE ?
How rude is it.

#4: Howard Guo (guohouzuo) (2015-10-20 14:04:53)
I really liked the CA module :( 90% of the time it works every time.
It's really useful and works very well with FreeIPA.

#10: Bruno Friedmann (bruno_friedmann) (2017-03-05 10:19:22)
How hard is to create a path to migrate from yast2-ca-management (nice
tools used since years) to openCA ? If we want to drop it, as we don't
know how much users are using it, we should at least have a migration
path documented.
With the arguments given (especially the security implication), it's
seems to be clear that the tools is having (had?) its eol soon.

#12: Matthias Eckermann (mge1512) (2017-04-04 00:38:46Z) (reply to
#10)
The integration aspect with other YaST module would get lost by moving to
any other solution, thus dropping this remains rejected for SLE 13.

+ #13: Marcus Meissner (msmeissn) (2017-04-04 14:38:08Z)
+ (a replacement might be FreeIPA ... but we so far not have it in
+ Factory)




--
openSUSE Feature:
https://features.opensuse.org/319119

< Previous Next >
This Thread
References