From: David Groep Date: Mon, 1 June 2015 12:00:00 +0000 Subject: Updated IGTF distribution 1.64 + EoL information on Yum2 and RPM-APT Dear CAs, Relying Parties, Users, and all others interested, In this announcement of the IGTF: 1. Updated IGTF distribution version 1.64 available 2. [repeated] Notice on use of (issuer-subject) combination for users 3. End of support for RPM yum version 2 (headers) distributions 4. End of support for APT-RPM distribution support ========================================================================= 1. Updated IGTF distribution version 1.64 available ========================================================================= A new distribution of Accredited Authorities by the Interoperable Global Trust Federation, based on the IGTF Common Source, is now available. It includes the newly accredited Authorities and retires expiring trust anchors. This is version 1.64 release 1 and it is now available for download from the Repository (and mirrors) at https://dist.igtf.net/distribution/igtf/current/ Changes from 1.63 to 1.64 ------------------------- (1 June 2015) * Extended validity period of the BalticGrid CA (EE,LT,LV) * Removed obsolete NICS-MyProxy CA (US) * Added revised DigiCertGridCA-1G2-Classic-2015 Classic CA (US) * Updated CRL URL information for TCS G3 by preferring secondary URI (EU) * Updated RDIG CA with extended validity self-signed root (RU) * Removed obsolete NCSA-slcs CA, replaced by NCSA-slcs-2013 (US) Next Release ------------ Releases are usually done on the last Monday of the month, only when the trust anchor distribution has been updated substantially. The currently-estimated next release date of the distribution is at the end of June 2015. ========================================================================= 2. Notice for system operators using the (issuer-subject) combination for identifying users ========================================================================= The IGTF coordinates a trust fabric that provides unique non-reassigned identifiers to end-entities (users). This means that, with the scope of the IGTF authorities, you can use the subject name as a key to e.g. community membership databases, and to assign data ownership and access rights. Several updates to this trust anchor distribution incorporate changes to the name of the issuing authority, but the name of the end-entities and the users remains exactly the same. This usually permits users to use those new issuing services without loosing (data) ownership or community memberships. However, the IGTF is aware that some systems, in particularly VOMS and VOMS-Admin, were traditionally deployed such that also the issuer was used to identify the users. To make the changes in this and future releases transparent, all operators of VOMS and VOMS-Admin services are requested to enable the subject-only name resolution mechanisms in VOMS and VOMS Admin: - on the VOMS core Attribute Authority service, configure the "-skipcacheck" flag on start-up. In YAIM this is done by setting "VOMS_SKIP_CA_CHECK" to true. See https://wiki.italiangrid.it/twiki/bin/view/VOMS/VOMSYAIMGuide - update VOMS-Admin to version >= 3.3.2, and set "voms.skip_ca_check=True" in the service properties. For more info, read the release notes at http://italiangrid.github.io/voms/release-notes/voms-admin-server/3.3.2/ For other products, please refer to the documentation provided by your supplier. Products such as Apache httpd itself and most web-based products (MediaWiki, TWiki, etc) use subject-name matching only and are thius fully compatible. No changes are needed for these and like products. ========================================================================= 3. End of support for RPM yum version 2 ("headers") distributions in 2015 ========================================================================= The IGTF distributes repositories of trust anchors packaged in the RPM Package Manager format as usd by many GNU/Linux distributions. These repositories come pre-populated with package meta-data used by the Yellowdog Updater, Modified (yum) in two formats: headers (used by yum versions 1 and 2, and XML repodata (yum version 3+). The main platform(s) supported by rpm and yum are Fedora Core, RHEL, and CentOS. The versions of these distributions that depend on yum version 2 and the 'headers' meta-data are now no longer supported, and in the long term the IGTF will no longer be able to generate yum-2 'header' meta-data for these repositories. This affects Fedora Core 1, 2, and 3, CentOS 3.x, and RedHat Enterprise Linux 3 when used with yum. The last one (RHEL3) has reached end of extended life phase in January 2014. Starting in mid-2015, IGTF repositories may no longer contain the 'headers/' directory with meta-data and thus will no longer support yum version 2. Relying parties depending on the use of yum version 2 must thereafter (re)generate the relevant repository meta-data. This change *does not* impact CentOS, nor RHEL4 (end of extended life foreseen for March 31, 2017), nor FC4, nor later versions of the listed operating system distributions. ========================================================================= 4. End of support for APT-RPM distribution support ========================================================================= Support for installing the Redhat Package Manager (RPM) packages using one of the first package management systems, the Advanced Packaging Tool ("APT"), is going to be discontinued mid-2015. The use of APT for most purposes has been superseded by the use of "Yum", and the apt-rpm toolset has not been maintained since 2008. It is no longer usable as-is with modern RPM based formats. It may be necessary to discontinue apt-rpm support because of incompatibilities in the build environment of the IGTF distribution some time in 2015. In particular, this toolset no longer compiles or links against the v4.8 rpm development environment. This changes *does not* affect the Debian packaging of the IGTF. The Debian distribution is self-contained (in .../current/dists/) and does not share any files with the APT-RPM packages. Apt, the reference installation mechanism for Debian, will remain fully supported. ========================================================================= REPEATED NOTICES ========================================================================= Use in coordinated-deployment infrastructures --------------------------------------------- If you are part of a coordinated-deployment infrastructure (e.g. a national or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may want to await their announcement before installing the release. They could include localised adaptations. For reference we include the links below: PRACE-RI http://winnetou.surfsara.nl/prace/certs/ EGI https://wiki.egi.eu/wiki/EGI_IGTF_Release wLCG https://lcg-ca.web.cern.ch Open Science Grid https://software.grid.iu.edu/cadist/ Supplementary download locations -------------------------------- The download repository is also mirrored by the APGridPMA at https://www.apgridpma.org/distribution/igtf/ and by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ Where possible validate trust anchors with the GEANT TACAR Repository https://www.tacar.org/ About this news letter ---------------------- This newsletter carries IGTF information intended for relying parties. For more information about this newsletter and how to subscribe, refer to the EUGridPMA web site at https://www.eugridpma.org/ +-----------------------------------------------------------------------+ | For information on the IGTF Distribution, how to use it and what is | | contains, please read the information at | | https://dist.igtf.net/distribution/igtf/README.txt | | | | This file contains important information for new users and should be | | read before installing this Distribution. | +-----------------------------------------------------------------------+ If you have suggestions or improvements for the distribution format, to have it better suit your needs, please contact the EUGridPMA PMA at or your Regional Policy Management Authority. See the IGTF web site (www.igtf.net) for further information.