-
-
Notifications
You must be signed in to change notification settings - Fork 607
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade zlint from v3.6.0 to v3.6.2 #7594
base: main
Are you sure you want to change the base?
Conversation
@pgporada, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values. |
SRE ticket filed, IN-10466 |
It's worth noting that e_cab_dv_subject_invalid_values contains multiple checks, only one of which we violate. Skipping this lint is somewhat risky, if zlint decides to remove other individual lints which check for things like the Country field. This is also a good prompt to consider removing the SKID from our end-entity certificates. I don't believe anyone is relying on it, and would be some good bytes to shed. (See #7446.) Finally, we may want to consider having different sets of lints for different issuance profiles, so that a "modern" profile which excludes the Common Name can be more strictly checked. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have merged main
to resolve the merge conflict in go.mod.
This PR contains an update of the PSL. We should arguably do that in a separate PR, but it's also okay for it to be here.
All other transitive dependency updates LGTM.
The vast majority of the 400 zlint file diffs are just changing the copyright date. All other zlint updates (most of which are for S/MIME lints) look reasonable to me.
The unhelpful warning was removed in zmap/zlint@068ae82 |
Adds a few new lints (largely related to the Profiles ballot and recent CA incidents), two of which we need to disable:
e_cab_dv_subject_invalid_values
fails with a Warning because we include a Common Name in most of our certificates. We already ignorew_subject_common_name_included
, so this is a similar situation.w_ext_subject_key_identifier_not_recommended_subscriber
fails with a Warning because we include the SKID extension in all of our certificates. We intend to remove this extension in our upcoming "modernized" certificate profile.DO NOT MERGE until IN-10466 is complete