> For the last 20 years or so, RPM has used a home-grown OpenPGP parser > for dealing with keys and signatures. That parser is rather infamous > for its limitations and flaws, and especially in recent years has > proven a significant burden to RPM development. In order to improve > security and free developer resources for dealing with RPM's "core > business" instead, RPM upstream is in the process of deprecating the > internal parser in favor of [https://sequoia-pgp.org/ Sequoia PGP] > based solution written in Rust. Why are you using a new library written in Rust? Can you not use one of the existing mature C implementations of OpenPGP? gpgme maybe? > At this point the change is mostly invisible in normal daily use. Not really, because it makes some packages uninstallable. > - Some old, insecure (MD5/SHA1 based) signatures are rejected (this is > in line with the stronger crypto settings proposed elsewhere for F38) Such a hardcoded restriction, without a way for the local administrator to allow the legacy signatures, is not acceptable. Kevin Kofler _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
