On Mon, Aug 29, 2022 at 02:30:44PM -0400, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2 > > == Summary == > > Cryptographic policies will be tightened in Fedora ''38''-39, > SHA-1 signatures will no longer be trusted by default. > Fedora ''38'' will do a "jump scare", introducing the change but then > reverting it in time for Beta. > Test your setup with TEST-FEDORA39 today and file bugs in advance so > you won't get bit by Fedora ''38''-39. This breaks a bunch of V2V use cases where we want to examine old guests which have RPM databases using SHA1. Also we want to ssh to remote machines running RHEL 5-era sshd. > The flagship change this time will be distrusting SHA-1 signatures > on the cryptographic library level, affecting more than just TLS. > > OpenSSL will start blocking signature creation and verification by default, > with the fallout anticipated to be wide enough > for us to roll out the change across multiple cycles > with multiple forewarnings > to give developers and maintainers ample time to react: The openssl change was a bad idea in RHEL 9, and it's going to be a bad idea in Fedora too. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
