V Tue, May 31, 2022 at 02:56:56PM +0200, Alexander Sosedkin napsal(a):
> On Tue, May 31, 2022 at 12:28 PM Vitaly Zaitsev via devel
> <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > On 31/05/2022 10:21, Petr Pisar wrote:
> > > Not in current F37 FUTURE policy the user tested.
> >
> > Yes. If the new F37 cryptographic policy considers RSA-2048 to be weak,
> > it should be reverted.
>
> The actual proposal is in the OP.
>
> Not only there's no such thing as "new F37 policy" happening,
> the F39 DEFAULT does allow RSA-2048,
> and this is spelled out upfront in the proposal text in the OP.
> RSA-3072 is only the minimum for the opt-in FUTURE policy,
> which has been the case since at least F28.
>
I'm sorry. You are right that the key length limit won't change.
Probably what confused us is this sentence:
Test your setup with FUTURE today and file bugs so you won't get bit by
Fedora 38-39.
That's obviously incorect because current FUTURE is not equvialent to the
proposed DEFAULT. I recommend you to reword the testing procedure so that
people are not bitten by this discrepancy.
Maybe you should prepare a policy DEFAULT-F39, package it into current Fedora,
and ask people to test DEFAULT-F39 instead of FUTURE or FUTURE:SHA1.
-- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
