Hi, > On 10. Jun 2024, at 20:16, Richard W.M. Jones <rjo...@redhat.com> wrote: > > On Mon, Jun 10, 2024 at 01:43:57PM +0200, Vít Ondruch wrote: >> I wish this proposal included some examples of what might get broken >> and what will keep working. I guess I am not the only one who have >> very vague understanding what is difference between "signatures" and >> "hashing" or other purposes SHA1 can be used for. > > SSH and HTTPS to old machines (even old versions of Fedora & RHEL) and > to old network equipment and the like will not be possible. > > I'm annoyed that this is not just put behind the LEGACY policy, since > if that's not what "legacy" is for, what _is_ it for?
I’m pretty sure Alex was planning to keep SHA-1 signatures working in the LEGACY policy, or even DEFAULT:SHA-1 (as it currently is on RHEL 9). It isn’t explicitly spelled out in the proposal. What the proposal does say, though, is that you can use FEDORA40 as policy. > As an aside, it'd be very nice if policies could be set per-process. > That would greatly enhance security by allowing specific programs to > connect to the legacy machines, while maintaining general system > security. See this text in the proposal (emphasis mine): Users that need the previous behaviour and don't mind the security implications will be able to revert to the old behavior system-wide (update-crypto-policies --set FEDORA40) or ***per-process (runcp FEDORA40 command args, requires a copr-packaged tool)***. -- Clemens Lang RHEL Crypto Team Red Hat -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
