Kevin Kofler via devel wrote: > I am still opposed, because it is still a backwards-incompatible change that > breaks existing repositories (such as my Calcforge one)
Backwards-incompatible changes are often made far too nonchalantly. This is not one of those cases. When it comes to cryptographic algorithms, backwards-incompatible changes are necessary from time to time. Cryptanalysis always progresses, and quantum computers loom at the horizon. Secure algorithms do not remain secure (except for One- Time Pad, which is mathematically proven but quite impractical). Maybe there will some day be a set of cryptographic algorithms that are mathematically proven to be secure for all eternity (and more practical than One-Time Pad). Until that day comes, all software, including your Calcforge repository, must be prepared to replace algorithms as needed. > just so that someone can tick a checkbox on some "security" checklist. As a packager you are responsible for all Fedora users' security. If you behave as if security is nothing but a pointless checklist, then you put all of our computers in jeopardy. An attacker who breaches your computer will be able to inject malware into Fedora through your packages. It is your duty to take security seriously as long as you have commit privileges to any Fedora packages. Björn Persson
pgpF1As1bgQjX.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
