> For the last 20 years or so, RPM has used a home-grown OpenPGP parser
> for dealing with keys and signatures. That parser is rather infamous
> for its limitations and flaws, and especially in recent years has
> proven a significant burden to RPM development. In order to improve
> security and free developer resources for dealing with RPM's "core
> business" instead, RPM upstream is in the process of deprecating the
> internal parser in favor of [https://sequoia-pgp.org/ Sequoia PGP]
> based solution written in Rust.
Why are you using a new library written in Rust? Can you not use one of the
existing mature C implementations of OpenPGP? gpgme maybe?
> At this point the change is mostly invisible in normal daily use.
Not really, because it makes some packages uninstallable.
> - Some old, insecure (MD5/SHA1 based) signatures are rejected (this is
> in line with the stronger crypto settings proposed elsewhere for F38)
Such a hardcoded restriction, without a way for the local administrator to
allow the legacy signatures, is not acceptable.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
