On Mon, 2014-09-08 at 09:48 -0500, Michael Catanzaro wrote:
2) The latest upstream version of ca-certificates removes several root certs with 1024-bit RSA keys, even though valid certificates issued by those certs are still in use [2]. Fedora 21 already has the latest version of ca-certificates, and it has broken popular web sites, including as amazon.com and kickstarter.com, in Epiphany. Please consider delaying any planned update of this package for a few months, until the fallout [3] has passed. Distros shipping GNOME 3.14 should strongly consider sticking with the previous release of ca-certificates, from March 2014.
Hi GNOME distributors, Fedora has documented at [1] a list of CA certificates removed by Mozilla that are still required for glib-networking to be compatible with many web sites. It's now safe to update your ca-certificates package if you take care to restore these legacy certificates with their original trust bits. If you choose to update ca-certificates without ensuring that these certificates remain installed with their original trust bits, we will not handle TLS-related bug reports from your distro. [1] https://fedoraproject.org/wiki/CA-Certificates
Attachment:
signature.asc
Description: This is a digitally signed message part