Dear Daniel, Thanks for your feedback! On Wed, Dec 7, 2022 at 2:55 PM Daniel P. Berrangé <berra...@redhat.com> wrote:
> On Wed, Dec 07, 2022 at 01:48:48PM +0100, Dmitry Belyavskiy wrote: > > The problem we expect is that after reverting the patch we can lose the > > remote access to the hosts because sshd will reject starting because of > > group reading permissions. This should be covered by the upgrade > scriptlet, > > though we still may come across some issues, especially if you use host > > keys in non-standard locations. How do we properly implement this feature > > to avoid customers' negative feedback? Current upgrade scriptlet covers > > standard key locations/names and works well enough at the 1st glance. > > In terms of upgrade impact the upgrade scriptlet may not be sufficient > to mitigate the compat risk. It is possible that there are puppet/ansible > recipes that will be setting file ownership/permissions on the keys, > which might be liable to undo the effect of any RPM upgrade scriptlet. > > > The proposed changes are available > > https://src.fedoraproject.org/rpms/openssh/pull-request/37 > > > > A separate question is whether we want to publish this announcement as a > > Fedora change and at what level. For me it looks like a self-contained > > change. > > Publishing a Fedora change looks like a wise idea, given the upgrade > risk and its possible ripple effect to OS config mgmt tools like puppet > and ansible. > Drafted here, to be published: https://fedoraproject.org/wiki/Changes/SSHKeySignSuidBit -- Dmitry Belyavskiy
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
