Re: crypto-policies

Mon, 27 Mar 2023 03:40:26 -0700 

On 3/27/23 12:40, Fabio Valentini wrote:

On Mon, Mar 27, 2023 at 11:23 AM Kamil Paral <kpa...@redhat.com> wrote:


On Sat, Mar 25, 2023 at 8:20 AM Neal H. Walfield <n...@walfield.org> wrote:


Panu wrote https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c126 :


To me the key points here are
1) there's a lot of obsolete/broken crypto out there
2) we need better error messages

Properly dealing with 2) needs an API redesign, but we'll try to work out some 
sort of bandaid solution.


Are better diagnostics sufficient from your point of view, or are you
looking for a different solution?



I think my question in https://bugzilla.redhat.com/show_bug.cgi?id=2170878#c125 
wasn't really answered, or at least I don't understand the implications.



Kamil, would've been good to state that in the bug then. I only saw this 
email by sheer luck.



*putting on both my FESCo and rpm-sequoia package maintainer hats*

The issue which was voted on for blocker status by FESCo ("In order to
unblock, RPM must accept SHA-1 hashes and DSA keys for Fedora 38
(...)") has been resolved.
As far as I can tell, the anydesk case is different. It's not a
problem caused by the new crypto policy - the packages don't use a
SHA-1 signature - but happens because the Sequoia PGP implementation
is stricter about checking signatures for sanity / validity.
If I understand correctly, the packages are signed with a key that
fails validation, so I'm inclined to say "this is not our problem"
(and it also looks like this is an issue that's specific to this
third-party package vendor, in contrast to the original SHA-1 / DSA
issue which affected repositories that are officially endorsed by
Fedora Workstation).



Indeed. The RpmSequoia change is not really about phasing out any 
specific algorithms, that's a different topic. The anydesk case is 
actually a fine showcase of Sequoia doing exactly what the change is 
advertising! Only it's getting drowned in this SHA1/DSA noise, and poor 
error messages (which is rpm's, not Sequoias fault).


        - Panu -
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

























					Reply via email to