On 09.08.19 14:06, Stephen John Smoogen wrote: > One of many arguments is that whatever protocol set used to sign > artifacts has to be audited by various outside agencies in Europe/US/etc > to be used on their systems. That costs time and money to do. Certain > tools are already audited like openssl so using them is easier to get > added to an ongoing certification than something which is not audited > like libsodium. If it hasn't been part of an ongoing certification, > libsodium would need to be started from the ground up and probably take > 2-3 years. Until it is done, there would be considerable 'push-back' > from various consumers of Fedora from just French government agencies of > using it as part of something they would allow for usage. That has a > pile-on effect as industries wanting to work with said agencies can't > use the OS in certain places, which boils out as a 4-5 year time where > the signing is in limbo. > > This is the part that Petr is not diplomatically covering in that the > protocol for signing needs to be past and future reliable. The tool > writer needs to know that it is a long haul of working with existing > crap for a long time until it can hopefully be removed in 5-10 years > when whatever audits and certs are done. Thanks for the explanation! That's unfortunate! :( However, this only impacts RHEL/CentOS as libsodium is already packaged in Fedora and EPEL, so no problem there using Minisign for verifying file signatures using it I guess? Replacing PGP with Minisign for RPM package signatures requires a bit more time then :-) Cheers, François _______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
