On 4/27/23 20:55, Robert Relyea wrote:
On 4/27/23 3:51 AM, Neal H. Walfield wrote:
Hi all,
A year and a half ago, I began working with Panu on using Sequoia as
RPM's OpenPGP parser. I wrote up our journey from the initial
analysis, to adding the code to RPM, and to getting it into Fedora 38
(yay!) in a blog post. I'm mentioning it here, as I believe it is of
general interest to this community. If this is considered off topic,
I apologize in advance.
https://sequoia-pgp.org/blog/2023/04/27/rpm-sequoia/
Thanks Neal.
A good read indeed.
I do wonder about the error message:
||
|because: SHA1 is not considered secure since 1970-01-01T00:00:00Z|
I'm not sure where the date came from, but SHA1 wasn't published until
1993. 1970-01-01 looks like an epic of some kind. If you must include a
'not considered secure' date it should be something between 2010 and
2017 (2010 when peole started worrying about sha1, 2011 and 2013 when
NIST said 'stop using it' and 2017 when Google (ironically - since they
are the ones still signing packages with it) actually broke it).
Probably best to drop the not considered secure if the received date is
null|.|
Yup, it's not ideal. It's basically an implementation detail leaking
into view, see https://gitlab.com/sequoia-pgp/sequoia/-/issues/1000
- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
