Re: F37 Proposal: Strong crypto settings: phase 3, forewarning 1/2 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, May 31, 2022 at 3:45 PM Petr Pisar <ppisar@xxxxxxxxxx> wrote:
>
> V Tue, May 31, 2022 at 02:56:56PM +0200, Alexander Sosedkin napsal(a):
> > On Tue, May 31, 2022 at 12:28 PM Vitaly Zaitsev via devel
> > <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > > On 31/05/2022 10:21, Petr Pisar wrote:
> > > > Not in current F37 FUTURE policy the user tested.
> > >
> > > Yes. If the new F37 cryptographic policy considers RSA-2048 to be weak,
> > > it should be reverted.
> >
> > The actual proposal is in the OP.
> >
> > Not only there's no such thing as "new F37 policy" happening,
> > the F39 DEFAULT does allow RSA-2048,
> > and this is spelled out upfront in the proposal text in the OP.
> > RSA-3072 is only the minimum for the opt-in FUTURE policy,
> > which has been the case since at least F28.
> >
> I'm sorry. You are right that the key length limit won't change.
>
> Probably what confused us is this sentence:
>
>     Test your setup with FUTURE today and file bugs so you won't get bit by
>     Fedora 38-39.
>
> That's obviously incorect because current FUTURE is not equvialent to the
> proposed DEFAULT. I recommend you to reword the testing procedure so that
> people are not bitten by this discrepancy.
>
> Maybe you should prepare a policy DEFAULT-F39, package it into current Fedora,
> and ask people to test DEFAULT-F39 instead of FUTURE or FUTURE:SHA1.

That'd be TEST-FEDORA39, mentioned as an alternative in the same sentence:

> Install crypto-policies-scripts package and switch to a more restrictive policy
> with either update-crypto-policies --set FUTURE or update-crypto-policies --set TEST-FEDORA39.

I chose to suggest them in this particular order
in hopes of bringing the world a tad closer to the FUTURE and not just
F39 DEFAULT.

Should I drop it?
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux