On Tue, 2022-09-06 at 11:09 +0300, Panu Matilainen wrote: > On 9/2/22 17:31, Neal H. Walfield wrote: > > Hi all, > > > > rpm 4.18 is on the horizon and includes a new OpenPGP backend based on > > Sequoia PGP. > > > > https://rpm.org/wiki/Releases/4.18.0 > > https://sequoia-pgp.org/ > > > > Thanks to Fabio Valentini (decathorpe) for packaging not only > > rpm-sequoia, but all of the Sequoia packages for Fedora. > > > > > > https://copr.fedorainfracloud.org/coprs/decathorpe/sequoia-test-builds/package/rust-rpm-sequoia/ > > > > > > With this note, I'd firstly like to make the Fedora community more > > aware of this project. (I don't think it has been mentioned here > > yet.) > > > > Second, although the internal OpenPGP backend is still the default > > backend, it will be removed in rpm 4.19: > > > > https://github.com/rpm-software-management/rpm/issues/1935 > > While that was the initial goal, I suspect we may have to stretch this a > bit. I think we'll first need a release where the upstream default is > something else, and then in the next release we can actually look at > axing it. > > > > > It is probably best to start the transition as soon as possible to > > work out any kinks. > > > > In that vein, I'd like to offer my help. Making this type of change > > needs to be done carefully. Perhaps these are questions or concerns. > > I'd like to hear them and respond to them. There is also technical > > work that needs to be done. I'm more of a developer than a packager, > > but if Fedora decides to use the Sequoia backend, I'd like to offer my > > help in any way I can. > > Since rpm 4.18 gained the Sequoia support afterall, we can and should > look into swapping over in Fedora 38. That'll help sorting out any rough > edges and make it easier to eventually swap the default in upstream as > well. We probably need to do this with a change process as anything > rpm-related tends to be system/distro wide in a sense (see below) > > Once the dust from 4.18 has settled (final is expected in a couple of > weeks) we can start digging into this, although nothing prevents > starting with other "paperwork" etc. > > > Note: Sequoia currently uses Nettle on Fedora, but there is ongoing > > work to port it to Sequoia to OpenSSL: > > > > > > https://github.com/rpm-software-management/rpm/issues/2041#issuecomment-1219175000 > > This may well be a blocker on Fedora level, in part to keep container > etc images small but also for distro crypto policies and FIPS (neither > of which nettle supports AIUI).
With my Crypto Team hat on I do not see this as a blocker for Fedora in the short term, we can start with nettle and then move to OpenSSL later. For RHEL we may prefer OpenSSL for various reasons above, but I would note that although we do not certify nettle directly under FIPS we do indirectly as part of GnuTLS, so it is certainly tested cryptography. In fact nettle might be a slightly better choice in some cases for container images because it is much smaller than OpenSSL. Finally nettle could even be statically built into sequoia (together with gmp) if we need even smaller footprint or we are concerned about potential rpm breakage during upgrades. I am not saying we want to do this, but it is an option that OpenSSL 3 won't provide as easily. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
