On Fri, Mar 03, 2023 at 04:02:43PM -0500, Stephen Smoogen wrote: > On Fri, 3 Mar 2023 at 15:56, Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > 2. crypto-policies — Insecure installed RPMs (like Google Chrome) > > prevent system updates in F38, can't be removed — NEW > > ACTION: Upstream to implement MR #129 > > > > > > 2. crypto-policies — https://bugzilla.redhat.com/show_bug.cgi?id=2170878 > > — NEW > > Insecure installed RPMs (like Google Chrome) prevent system updates in > > F38, can't be removed > > > > Some third-party repos (including Google Chrome) that sign packages > > with SHA-1 cannot be uninstalled, which breaks upgrades. This was > > designated a blocker by FESCo. Work is in progress upstream to allow > > RPM to permit SHA-1 in the default policy while third-party repos > > update to a supported hash function: > > > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129 > > I think the issue is 'larger' than SHA-1. Google Chrome and some other 3rd > party software seem to be signed with keys which are both SHA1 and DSA > keys. Either one of these would cause the problem with not being able to > update/uninstall/etc and since one is a checksum and the other is an > encryption type need possibly different solutions. Yes. People are aware of this. Merge request 129 had to go as far as allowing DSA1024 :( Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
