Re: Landing a larger-than-release change (distrusting SHA-1 signatures)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 08, 2022 at 07:40:15PM +0100, Alexander Sosedkin wrote:
> We've been disabling it in TLS, but its usage is much wider than TLS.
> The next agonizing step is to restrict its usage for signatures
> on the cryptographic libraries level, with openssl being the scariest one.
> 
> Good news is, RHEL-9 is gonna lead the way
> and thus will take a lot of the hits first.
> Fedora doesn't have to pioneer it.
> Bad news is, Fedora has to follow suit someday anyway,
> and this brings me to how does one land such a change.
> 
> ---
> 
> Fedora is a large distribution with short release cycles, and
> the only realistic way to weed out its reliance on SHA-1 signatures
> from all of its numerous dark corners is to break them.
> Make creation and verification fail in default configuration.
> But it's unreasonable to just wait for, say, Fedora 37 branch-off
> and break it in Rawhide for Fedora 38.
> The fallout will just be too big.

If RHEL-9 has lead the way, what are the stats for real world
RHEL impact ?

What is/was the absolute number of packages and % number of
packages from the RHEL distro  that saw breakage ?

Such figures can give us a better idea of impact on Fedora
beyond "too big".

Assuming RHEL-9 has dealt with the problems, Fedora should
inherit those fixes, which gives us a good base for the most
commonly used / important packages in Fedora.

If the breakage % from RHEL was single digits, and those
were the most important packages to fix from Fedora's POV
too, then maybe the fall is not in fact "too big". It might
be sufficient to identify a few important remaining packages
to validate, and just accept the fallout for the remaining
less important packages in Fedora can be fixed after the
fact ?

IIUC we have a simple workaround of letting someone set the
crypto policies on their machine back to LEGACY still

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux