On Wed, 2023-03-01 at 20:07 +0100, Ralf Corsépius wrote: > > Am 01.03.23 um 16:31 schrieb Adam Williamson: > > On Tue, 2023-02-28 at 09:10 +0100, Ralf Corsépius wrote: > > > Hi, > > > > > > on f38, I am unable to install any locally built package (signed > > > with a > > > local key, I have been using for many years): > > > > "Many years" is likely the problem. It's probably using SHA-1 or > > DSA. > > See, for e.g., > > https://bugzilla.redhat.com/show_bug.cgi?id=2170878 . Those are now > > known to be insecure. > > > > That bug covers some awkward problems with widely-used third parties > > still using insecure keys to sign their packages, which likely means > > this will get put off (one way or another) to at least Fedora 39. > > But > > for your own locally built packages, which are under your control, > > you > > can solve it permanently right now: generate a new key using a > > secure > > algorithm, and re-sign your packages with that. > > > > > What are people supposed to do? > > > > See above. > > Cf. the discussion on *-devel. > > Due to this list not being open, I do not see any sense trying to > furtherly discussing this issue here. > > Only one point concerning you and this list: It seems obvious to me, > this change was not tested at all. The effects of this change are > desasterous, Annoying, yes. Disastrous, no. Easiest solution is the one already discussed, your old key is never going to be accepted again so it is time to make a new one. Solved. Second solution is to revert Fedora's new paranoia that will detonate any old package. "sudo update-crypto-policies --set LEGACY" and get on with life for another Fedora release cycle... then the madmen will break things again. It is a cryptoweenie thing, break anything more than a few years old while autistically screeching "but it is INSECUUUURE!" Be thankful, as bad as Fedora can be, OpenSSH is worse; when they do the "INSECUUUUURE!" screeching they eventually remove every line of code that supported the now insecure crypto so you can't even rebuild from source to be able to still talk to that old box in a corner.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ test mailing list -- test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to test-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
