2025. 02. 05. 11:56 keltezéssel, Alexander Kanavin írta:
On Wed, 5 Feb 2025 at 05:36, Zoltán Böszörményi <[email protected]> wrote:
Also ship a crypto policy file which is used to validate
signing keys.
.../rpm-sequoia/rpm-sequoia.config | 51 ++
+++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia/rpm-sequoia.config
@@ -0,0 +1,51 @@
+[hash_algorithms]
+md5.collision_resistance = "never"
+md5.second_preimage_resistance = "never"
+sha1.collision_resistance = "always"
+sha1.second_preimage_resistance = "always"
+ripemd160.collision_resistance = "never"
+ripemd160.second_preimage_resistance = "never"
+sha224.collision_resistance = "always"
+sha224.second_preimage_resistance = "always"
+sha256.collision_resistance = "always"
+sha256.second_preimage_resistance = "always"
+sha384.collision_resistance = "always"
+sha384.second_preimage_resistance = "always"
+sha512.collision_resistance = "always"
+sha512.second_preimage_resistance = "always"
+default_disposition = "never"
+
+[symmetric_algorithms]
+idea = "never"
+tripledes = "never"
+cast5 = "never"
+blowfish = "never"
+aes128 = "always"
+aes192 = "never"
+aes256 = "always"
+twofish = "never"
+camellia128 = "always"
+camellia192 = "never"
+camellia256 = "always"
+default_disposition = "never"
+
+[asymmetric_algorithms]
+rsa1024 = "never"
+rsa2048 = "always"
+rsa3072 = "always"
+rsa4096 = "always"
+dsa1024 = "always"
+dsa2048 = "always"
+dsa3072 = "always"
+dsa4096 = "always"
+nistp256 = "always"
+nistp384 = "always"
+nistp521 = "always"
+cv25519 = "always"
+elgamal1024 = "never"
+elgamal2048 = "never"
+elgamal3072 = "never"
+elgamal4096 = "never"
+brainpoolp256 = "never"
+brainpoolp512 = "never"
+default_disposition = "never"
You need to very clearly explain how this was created (or where it was
copied from), and how it should be kept up to date. Either in the file
itself, or in the recipe that includes it. Otherwise it's a 'magic
file' that no one knows how to maintain. Hardcoded lists of crypto
algorithms are notoriously prone to becoming outdated, insecure, or
both.
Okay, how about using a git:// SRC_URI entry for fedora-crypto-policies?
That should be self explanatory and no "magic file".
However, I had to do this abomination of a workaround to
exclude the directory from being manhandled by "cargo build":
# This is a workaround for the lack of excluding directories
# in cargo_common.bbclass: a git:// or gitsm:// SRC_URI is
# added to cargo_home/config as a [patch."..."] if both
# name= and destsuffix= are set, but the second git:// repo
# is not Rust based.
#
# The main source has name=sequoia set, but no destsuffix=.
#
# The crypto policy file for rpm-sequoia is generated from
# fedora-crypto-policies, for which the SRC_URI entry
# has destsuffix= set but name= isn't.
SRCREV_FORMAT = "sequoia"
SRC_URI = " \
git://github.com/rpm-software-management/rpm-sequoia.git;protocol=https;branch=main;name=sequoia
\
git://gitlab.com/redhat-crypto/fedora-crypto-policies.git;protocol=https;branch=master;destsuffix=fedora-crypto-policies
\
"
SRCREV_sequoia = "0667e04ae7fb8cf0490919978d69883d16400e41"
# SRCREV for fedora-crypto-policies
SRCREV = "4d262e79be1cd15c84cad55ad88c53a2d7712e85"
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#210860):
https://lists.openembedded.org/g/openembedded-core/message/210860
Mute This Topic: https://lists.openembedded.org/mt/111007197/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
