Re: crypto-policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/27/23 12:40, Fabio Valentini wrote:
On Mon, Mar 27, 2023 at 11:23 AM Kamil Paral <kparal@xxxxxxxxxx> wrote:

On Sat, Mar 25, 2023 at 8:20 AM Neal H. Walfield <neal@xxxxxxxxxxxx> wrote:

Panu wrote https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c126 :

To me the key points here are
1) there's a lot of obsolete/broken crypto out there
2) we need better error messages

Properly dealing with 2) needs an API redesign, but we'll try to work out some sort of bandaid solution.

Are better diagnostics sufficient from your point of view, or are you
looking for a different solution?


I think my question in https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c125 wasn't really answered, or at least I don't understand the implications.

Kamil, would've been good to state that in the bug then. I only saw this email by sheer luck.

*putting on both my FESCo and rpm-sequoia package maintainer hats*

The issue which was voted on for blocker status by FESCo ("In order to
unblock, RPM must accept SHA-1 hashes and DSA keys for Fedora 38
(...)") has been resolved.
As far as I can tell, the anydesk case is different. It's not a
problem caused by the new crypto policy - the packages don't use a
SHA-1 signature - but happens because the Sequoia PGP implementation
is stricter about checking signatures for sanity / validity.
If I understand correctly, the packages are signed with a key that
fails validation, so I'm inclined to say "this is not our problem"
(and it also looks like this is an issue that's specific to this
third-party package vendor, in contrast to the original SHA-1 / DSA
issue which affected repositories that are officially endorsed by
Fedora Workstation).

Indeed. The RpmSequoia change is not really about phasing out any specific algorithms, that's a different topic. The anydesk case is actually a fine showcase of Sequoia doing exactly what the change is advertising! Only it's getting drowned in this SHA1/DSA noise, and poor error messages (which is rpm's, not Sequoias fault).

	- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux