Re: Intention to tighten RPM crypto-policy back

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 27, 2023 at 11:04 AM Alexander Sosedkin
<asosedkin@xxxxxxxxxx> wrote:
>
> On Tue, Sep 26, 2023 at 7:47 PM Peter Robinson <pbrobinson@xxxxxxxxx> wrote:
> >
> > On Tue, Sep 19, 2023 at 10:20 AM Alexander Sosedkin
> > <asosedkin@xxxxxxxxxx> wrote:
> > >
> > > Hello,
> > >
> > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
> > > Long story short:
> > > RPM has moved to sequoia,
> > > sequoia has started respecting crypto-policies,
> > > Google repos have been signed with a 1024-bit DSA key,
> > > Google Chrome was not installable => F38 blocker.
> > > Back at the time, it's been hastily "resolved"
> > > by relaxing RPM security through crypto-policies
> > > just enough to tolerate that Google signature:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
> > >
> > > Since then it has been brought to my attention that
> > > Google has now added a 4096 bit RSA key
> > > https://www.google.com/linuxrepositories/
> > > (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
> > >
> > > Because of that, I'd like to revert that RPM policy relaxation
> > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> > > in (f39) rawhide and align RPM security with the rest of the policy.
> > >
> > > Thoughts / feedback?
> >
> > I think it should be done as a system wide change so it can have the
> > appropriate review but it seems we're better off than we were.
>
> System-wide or self-contained?

System wide as it potentially affects ability to install 3rd party software.

> I'm not altering the system-wide default,
> I'm removing the exception that was limited to rpm/dnf in scope
> to bring them in line with system-wide default;
> but rpm/dnf are kinda important.
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux