On Tue, Sep 26, 2023 at 7:47 PM Peter Robinson <pbrobin...@gmail.com> wrote: > > On Tue, Sep 19, 2023 at 10:20 AM Alexander Sosedkin > <asosed...@redhat.com> wrote: > > > > Hello, > > > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 > > Long story short: > > RPM has moved to sequoia, > > sequoia has started respecting crypto-policies, > > Google repos have been signed with a 1024-bit DSA key, > > Google Chrome was not installable => F38 blocker. > > Back at the time, it's been hastily "resolved" > > by relaxing RPM security through crypto-policies > > just enough to tolerate that Google signature: > > https://bugzilla.redhat.com/show_bug.cgi?id=2170878 > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129 > > > > Since then it has been brought to my attention that > > Google has now added a 4096 bit RSA key > > https://www.google.com/linuxrepositories/ > > (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796) > > > > Because of that, I'd like to revert that RPM policy relaxation > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5 > > in (f39) rawhide and align RPM security with the rest of the policy. > > > > Thoughts / feedback? > > I think it should be done as a system wide change so it can have the > appropriate review but it seems we're better off than we were.
System-wide or self-contained? I'm not altering the system-wide default, I'm removing the exception that was limited to rpm/dnf in scope to bring them in line with system-wide default; but rpm/dnf are kinda important. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
