V Tue, May 31, 2022 at 03:51:26PM +0200, Alexander Sosedkin napsal(a): > On Tue, May 31, 2022 at 3:45 PM Petr Pisar <ppisar@xxxxxxxxxx> wrote: > > > > V Tue, May 31, 2022 at 02:56:56PM +0200, Alexander Sosedkin napsal(a): > > > On Tue, May 31, 2022 at 12:28 PM Vitaly Zaitsev via devel > > > <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > On 31/05/2022 10:21, Petr Pisar wrote: > > > > > Not in current F37 FUTURE policy the user tested. > > > > > > > > Yes. If the new F37 cryptographic policy considers RSA-2048 to be weak, > > > > it should be reverted. > > > > > > The actual proposal is in the OP. > > > > > > Not only there's no such thing as "new F37 policy" happening, > > > the F39 DEFAULT does allow RSA-2048, > > > and this is spelled out upfront in the proposal text in the OP. > > > RSA-3072 is only the minimum for the opt-in FUTURE policy, > > > which has been the case since at least F28. > > > > > I'm sorry. You are right that the key length limit won't change. > > > > Probably what confused us is this sentence: > > > > Test your setup with FUTURE today and file bugs so you won't get bit by > > Fedora 38-39. > > > > That's obviously incorect because current FUTURE is not equvialent to the > > proposed DEFAULT. I recommend you to reword the testing procedure so that > > people are not bitten by this discrepancy. > > > > Maybe you should prepare a policy DEFAULT-F39, package it into current Fedora, > > and ask people to test DEFAULT-F39 instead of FUTURE or FUTURE:SHA1. > > That'd be TEST-FEDORA39, mentioned as an alternative in the same sentence: > > > Install crypto-policies-scripts package and switch to a more restrictive policy > > with either update-crypto-policies --set FUTURE or update-crypto-policies --set TEST-FEDORA39. > > I chose to suggest them in this particular order > in hopes of bringing the world a tad closer to the FUTURE and not just > F39 DEFAULT. > > Should I drop it? That would be great. If this change is about SHA-1, I would only keep TEST-FEDORA39 in the Change page. If you want to promote FUTURE, you can keep a small notice at the end of How To Test section that people who want to sense security of far future, can try FUTURE policy. But make sure that it's written in an obvious way that FUTURE is out of scope of this Change. -- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure