Re: Unable to install locally built rpms

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, 2023-03-01 at 20:07 +0100, Ralf Corsépius wrote:
> Am 01.03.23 um 16:31 schrieb Adam Williamson:
> > On Tue, 2023-02-28 at 09:10 +0100, Ralf Corsépius wrote:
> > > Hi,
> > > 
> > > on f38, I am unable to install any locally built package (signed with a
> > > local key, I have been using for many years):
> > 
> > "Many years" is likely the problem. It's probably using SHA-1 or DSA.
> > See, for e.g.,
> > . Those are now
> > known to be insecure.
> > 
> > That bug covers some awkward problems with widely-used third parties
> > still using insecure keys to sign their packages, which likely means
> > this will get put off (one way or another) to at least Fedora 39. But
> > for your own locally built packages, which are under your control, you
> > can solve it permanently right now: generate a new key using a secure
> > algorithm, and re-sign your packages with that.
> > 
> > > What are people supposed to do?
> > 
> > See above.
> Cf. the discussion on *-devel.
> Due to this list not being open, I do not see any sense trying to 
> furtherly discussing this issue here.
> Only one point concerning you and this list: It seems obvious to me, 
> this change was not tested at all. The effects of this change are 
> desasterous,

Well, it was tested. That's why there's a bug report.

We don't have a secret Fedora where we try things behind a dark curtain
and only put them out to the public if they work. That's not how Fedora
works (and I doubt you'd like it if it did). Fedora is open, which
means Fedora development is open, which means the way we test changes
like this is...we make them (in Rawhide and/or Branched, obviously, not
in stable releases!) and then anyone who's interested - whether they
work for RH or not, whether they're part of Fedora QA or not - gets to
try them out. That's what happened in this case, and folks (from all
groups above) noticed this problem, so now we have a bug report and
FESCo is on it and we're getting Google to fix their Chromium RPMs and
the change is getting delayed. Isn't that how this should work?
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: | Mastodon: @adamw@xxxxxxxxxxxxx

test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux