Upgrade zlint from v3.6.0 to v3.6.2 #7594
Conversation
|
@pgporada, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values. |
|
SRE ticket filed, IN-10466 |
|
It's worth noting that e_cab_dv_subject_invalid_values contains multiple checks, only one of which we violate. Skipping this lint is somewhat risky, if zlint decides to remove other individual lints which check for things like the Country field. This is also a good prompt to consider removing the SKID from our end-entity certificates. I don't believe anyone is relying on it, and would be some good bytes to shed. (See #7446.) Finally, we may want to consider having different sets of lints for different issuance profiles, so that a "modern" profile which excludes the Common Name can be more strictly checked. |
There was a problem hiding this comment.
I have merged main to resolve the merge conflict in go.mod.
This PR contains an update of the PSL. We should arguably do that in a separate PR, but it's also okay for it to be here.
All other transitive dependency updates LGTM.
The vast majority of the 400 zlint file diffs are just changing the copyright date. All other zlint updates (most of which are for S/MIME lints) look reasonable to me.
The unhelpful warning was removed in zmap/zlint@068ae82 |
Adds a few new lints (largely related to the Profiles ballot and recent CA incidents), two of which we need to disable:
e_cab_dv_subject_invalid_valuesfails with a Warning because we include a Common Name in most of our certificates. We already ignorew_subject_common_name_included, so this is a similar situation.w_ext_subject_key_identifier_not_recommended_subscriberfails with a Warning because we include the SKID extension in all of our certificates. We intend to remove this extension in our upcoming "modernized" certificate profile.DO NOT MERGE until IN-10466 is complete