Dear Daniel,
Thanks for your feedback!
On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote:
On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote:
> The problem we expect is that after reverting the patch we can lose the
> remote access to the hosts because sshd will reject starting because of
> group reading permissions. This should be covered by the upgrade scriptlet,
> though we still may come across some issues, especially if you use host
> keys in non-standard locations. How do we properly implement this feature
> to avoid customers' negative feedback? Current upgrade scriptlet covers
> standard key locations/names and works well enough at the 1st glance.
In terms of upgrade impact the upgrade scriptlet may not be sufficient
to mitigate the compat risk. It is possible that there are puppet/ansible
recipes that will be setting file ownership/permissions on the keys,
which might be liable to undo the effect of any RPM upgrade scriptlet.
> The proposed changes are available
> https://src.fedoraproject.org/rpms/openssh/pull-request/37
>
> A separate question is whether we want to publish this announcement as a
> Fedora change and at what level. For me it looks like a self-contained
> change.
Publishing a Fedora change looks like a wise idea, given the upgrade
risk and its possible ripple effect to OS config mgmt tools like puppet
and ansible.
Drafted here, to be published:
Dmitry Belyavskiy
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue