========================================================================= 2. Fetch-crl utility version 2.7.0 released ========================================================================= The 'fetch-crl' utility is a utility to ensure that Certificate Revocation Lists (CRLs) are periodically retrieved from the web sites of the respective Certification Authorities, and installed on the local system in a trust anchor directory. It is intended for use with those (grid) systems that follow the OpenSSL method of trust anchor distribution. The fetch-crl utility has been updated with bug fixes and new functionality, as described in the CHANGES file below. The most important change is that this version will NOT REPORT transient download errors unless they persist for more than 24 hours. Previously, this function was enabled by the "-a" option or the CRL_AGING_THRESHOLD, but was set to 0 (zero) by default. The new version of fetch-crl can be obained from the IGTF mirror sites and at https://dist.eugridpma.info/distribution/util/fetch-crl/ where you can retrieve version 2.7.0 as well as older versions. Changes in version EGP 2.7.0 ---------------------------- * Warnings and errors are now counted. If there are errors in the download or verification process for one or more CRLs, the exit status will be 1; if there are errors in the local setup or in the script invocation, the exit status will be 2. * The installed CRLs no longer have the textual representation of the CRL, but only the PEM data blob, thus reducing IO and memory requirements. * the CRL aging threshold is now set by default to 24 hours. The previous default was 0. The CRL aging threshold is set in the config file using CRL_AGING_THRESHOLD=, or with the "-a" command-line argument. * Default network timeouts reduced to 10 seconds (was 30) and retries to 2 * Added caching and conditional downloading. When CACHEDIR is set, the original downloads are preserved and wget timestamping mode enabled. When the content did not change, only the timestamp on the installed CRL is updated. If SLOPPYCRLHASHES is set, the has is calculated based on the name of the crl_url file, otherwise it is taken from the CRL itself. - The CACHEDIR must be exclusively writable by the user running fetch-crl - Setting CACHEDIR significantly reduced the bandwidth used by fetch-crl * Added RESETPATHMODE setting in sysconfig. It defines whether or not to re-set $PATH to "/bin:/usr/bin" before start. The search for OpenSSL may be done based on the old path. yes=always replace; searchopenssl=search for openssl first and then reset; no=keep original path, whatever that may be (may be empty if called from cron) Default="yes". This replaces the hard-coded path in the tool. * Hidden "FORCE_OVERWRITE" option now has a regular name. This is backwards- compatible. Set FORCE_OVERWRITE=yes if you want files overwritten that have a CRL-like name and ought to have CRL content, but currently do not. * Addresses gLite Savannah bugs 28418 and 29559. Bug 27023 is partially addressed. Bug 20062 can be remedied with WGET_OPTS arguments. Addresses OSG ticket 4673.