Re: Intention to tighten RPM crypto-policy back

2023-10-06 Thread Kevin Fenzi 
On Fri, Oct 06, 2023 at 01:09:08PM +0200, Petr Pisar wrote:
> 
> These Fedora Project keys distribute in 
> are also affected:
> 
> $ gpg --list-keys 6A2FAEA2352C64E5
> pub   rsa4096 2013-12-16 [SCE]
>   91E97D7C4A5E96F17F3E888F6A2FAEA2352C64E5
> uid   [  neznámá   ] Fedora EPEL (7) 
> 
> $ gpg --list-keys 21EA45AB2F86D6A1
> pub   rsa4096 2019-06-05 [SCE]
>   94E279EB8D8F25B21810ADF121EA45AB2F86D6A1
> uid   [  neznámá   ] Fedora EPEL (8) 
> 
> $ gpg --list-keys 7BB90722DBBDCF7C
> pub   rsa4096 2018-11-13 [SCE] [platnost skončí: 2028-12-31]
>   C2A3FA9DC67F68B98BB543F47BB90722DBBDCF7C
> uid   [  neznámá   ] Fedora (iot 2019) 

Yes. I think we should split the epel and fedora keys there (and the iot
one isn't used for a long time and can be dropped). 

I don't think it makes much sense to force changes to the epel7/epel8
keys now just to check some compatibility box on fedora installs. ;) 

See 

https://pagure.io/releng/issue/11703

kevin


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-10-06 Thread Petr Pisar 
V Fri, Oct 06, 2023 at 12:53:23PM +0200, Kamil Paral napsal(a):
> On Tue, Sep 26, 2023 at 7:23 PM Alexander Sosedkin 
> wrote:
> 
> > On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi  wrote:
> > > It might be good to go through all the ones that were hit by this (it
> > > wasn't just chrome) and indicate if they are now fixed.
> > > You can see a partial list in the common bug:
> > >
> > >
> > https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498
> > >
> > > and in the discussion off it.
> >
> > Whoa, that's too many, I suspect misreporting.
> >
> 
> It was definitely accurate at the time when I wrote it :)

These Fedora Project keys distribute in 
are also affected:

$ gpg --list-keys 6A2FAEA2352C64E5
pub   rsa4096 2013-12-16 [SCE]
  91E97D7C4A5E96F17F3E888F6A2FAEA2352C64E5
uid   [  neznámá   ] Fedora EPEL (7) 

$ gpg --list-keys 21EA45AB2F86D6A1
pub   rsa4096 2019-06-05 [SCE]
  94E279EB8D8F25B21810ADF121EA45AB2F86D6A1
uid   [  neznámá   ] Fedora EPEL (8) 

$ gpg --list-keys 7BB90722DBBDCF7C
pub   rsa4096 2018-11-13 [SCE] [platnost skončí: 2028-12-31]
  C2A3FA9DC67F68B98BB543F47BB90722DBBDCF7C
uid   [  neznámá   ] Fedora (iot 2019) 

-- Petr


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-10-06 Thread Kamil Paral 
On Tue, Sep 26, 2023 at 7:23 PM Alexander Sosedkin 
wrote:

> On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi  wrote:
> > It might be good to go through all the ones that were hit by this (it
> > wasn't just chrome) and indicate if they are now fixed.
> > You can see a partial list in the common bug:
> >
> >
> https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498
> >
> > and in the discussion off it.
>
> Whoa, that's too many, I suspect misreporting.
>

It was definitely accurate at the time when I wrote it :)
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-28 Thread Clemens Lang 
Hi,

> On 28. Sep 2023, at 14:06, Panu Matilainen  wrote:
> 
> On 9/27/23 20:37, Alexander Sosedkin wrote:
>> 
>> In fact, even Chrome can't be installed with the change properly reverted.
>> Guess I'll have to shelve the wide discussion for a while, we aren't ready. 
>> =(
> 
> AIUI the current issue with Chrome is more that they still include the old 
> SHA-1 based key in their repo along with the newer one in a way that confuses 
> rpm.

Yes, I think that’s what’s happening here. Alex filed 
https://bugzilla.redhat.com/2241019 about this.
I think the importer should be modified to attempt to import all keys in a file 
and ignore those that fail.

The other alternative is that all keys should be imported regardless of whether 
they will be considered usable for verification, and verification of RPMs will 
later fail if those keys are used.

-- 
Clemens Lang
RHEL Crypto Team
Red Hat


___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-28 Thread Panu Matilainen 

On 9/27/23 20:37, Alexander Sosedkin wrote:

On Tue, Sep 19, 2023 at 11:19 AM Alexander Sosedkin
 wrote:


Hello,

6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
Long story short:
RPM has moved to sequoia,
sequoia has started respecting crypto-policies,
Google repos have been signed with a 1024-bit DSA key,
Google Chrome was not installable => F38 blocker.
Back at the time, it's been hastily "resolved"
by relaxing RPM security through crypto-policies
just enough to tolerate that Google signature:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129

Since then it has been brought to my attention that
Google has now added a 4096 bit RSA key
https://www.google.com/linuxrepositories/
(EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)

Because of that, I'd like to revert that RPM policy relaxation
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
in (f39) rawhide and align RPM security with the rest of the policy.

Thoughts / feedback?


OK, I've messed up.

Clemens Lang has kindly pointed me at a flaw in my testing.
Basically, nothing is as rosy as I've previously shown
because of SHA-1 signatures in the keys.
In fact, even Chrome can't be installed with the change properly reverted.
Guess I'll have to shelve the wide discussion for a while, we aren't ready. =(



AIUI the current issue with Chrome is more that they still include the 
old SHA-1 based key in their repo along with the newer one in a way that 
confuses rpm.


- Panu -
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-27 Thread Alexander Sosedkin 
On Tue, Sep 19, 2023 at 11:19 AM Alexander Sosedkin
 wrote:
>
> Hello,
>
> 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
> Long story short:
> RPM has moved to sequoia,
> sequoia has started respecting crypto-policies,
> Google repos have been signed with a 1024-bit DSA key,
> Google Chrome was not installable => F38 blocker.
> Back at the time, it's been hastily "resolved"
> by relaxing RPM security through crypto-policies
> just enough to tolerate that Google signature:
> https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
>
> Since then it has been brought to my attention that
> Google has now added a 4096 bit RSA key
> https://www.google.com/linuxrepositories/
> (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
>
> Because of that, I'd like to revert that RPM policy relaxation
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> in (f39) rawhide and align RPM security with the rest of the policy.
>
> Thoughts / feedback?

OK, I've messed up.

Clemens Lang has kindly pointed me at a flaw in my testing.
Basically, nothing is as rosy as I've previously shown
because of SHA-1 signatures in the keys.
In fact, even Chrome can't be installed with the change properly reverted.
Guess I'll have to shelve the wide discussion for a while, we aren't ready. =(

Sorry for taking your time.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-27 Thread Alexander Sosedkin 
On Wed, Sep 27, 2023 at 2:38 PM Stephen Gallagher  wrote:
>
> On Wed, Sep 27, 2023 at 7:06 AM Alexander Sosedkin  
> wrote:
> ...
> > Feel free to strike down these proposals
> > using whatever mechanisms Fedora governance offers.
> > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3
> > rejection suggests they do work.
>
> To be clear, that one was rejected primarily because of Chrome and
> VSCode (both extremely important to our user-base), which appear to
> have been resolved since then. I'm definitely in favor of tightening
> things up at this point.

You're probably thinking about the revert I wanna revert:
https://pagure.io/fesco/issue/2960.
StrongCryptoSettings3 was a different, more ambitious thing,
where preventing openssl from trusting SHA-1 signatures
was the contention point that prevented it from happening.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-27 Thread Stephen Gallagher 
On Wed, Sep 27, 2023 at 7:06 AM Alexander Sosedkin  wrote:
...
> Feel free to strike down these proposals
> using whatever mechanisms Fedora governance offers.
> https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3
> rejection suggests they do work.

To be clear, that one was rejected primarily because of Chrome and
VSCode (both extremely important to our user-base), which appear to
have been resolved since then. I'm definitely in favor of tightening
things up at this point.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-27 Thread Alexander Sosedkin 
On Tue, Sep 26, 2023 at 7:40 PM Kevin Kofler via devel
 wrote:
>
> Alexander Sosedkin wrote:
> > Because of that, I'd like to revert that RPM policy relaxation
> > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> > in (f39) rawhide and align RPM security with the rest of the policy.
> >
> > Thoughts / feedback?
>
> I am still opposed, because it is still a backwards-incompatible change that
> breaks existing repositories (such as my Calcforge one) just so that someone
> can tick a checkbox on some "security" checklist.

Yes, those who want to trust that key you've generated back in 2007
will have to use LEGACY policy or relax it in some other way
unless you generate a stronger key, that's precisely my intention.
I'm sorry for putting extra work on you, this is never pleasant,
but, all things considered, I find it well worth the benefit.

If you like *your* systems insecure, I do respect that choice of yours,
and I strive to offer a convenient opt-out of "security"
that should let you lag behind the modern world by ~5 extra years.
But we do need secure *defaults*, and I hope that you see how
compromising the security of most of the of installations
at the expense of the convenience of a few packagers
doesn't seem like the right course to me.

I often joke that the four Fedora values are
"Freedom", "Friends", "Features" and "Fecurity"
but, jokes aside, "First" still made that list:
https://docs.fedoraproject.org/en-US/project/#_first
and my reading of it is that
"15 years of backwards compatibility no matter what"
is explicitly a non-goal.

Fedora defaults are already lagging significantly behind, say, RHEL-9,
but there must be some limit to accepting insecure legacy stuff by default,
and I'll keep proposing the limits I find sensible
until I get completely disappointed in this distro.
Feel free to strike down these proposals
using whatever mechanisms Fedora governance offers.
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3
rejection suggests they do work.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-27 Thread Peter Robinson 
On Wed, Sep 27, 2023 at 11:04 AM Alexander Sosedkin
 wrote:
>
> On Tue, Sep 26, 2023 at 7:47 PM Peter Robinson  wrote:
> >
> > On Tue, Sep 19, 2023 at 10:20 AM Alexander Sosedkin
> >  wrote:
> > >
> > > Hello,
> > >
> > > 6 months ago, there's been a F38 blocker: 
> > > https://pagure.io/fesco/issue/2960
> > > Long story short:
> > > RPM has moved to sequoia,
> > > sequoia has started respecting crypto-policies,
> > > Google repos have been signed with a 1024-bit DSA key,
> > > Google Chrome was not installable => F38 blocker.
> > > Back at the time, it's been hastily "resolved"
> > > by relaxing RPM security through crypto-policies
> > > just enough to tolerate that Google signature:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
> > >
> > > Since then it has been brought to my attention that
> > > Google has now added a 4096 bit RSA key
> > > https://www.google.com/linuxrepositories/
> > > (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
> > >
> > > Because of that, I'd like to revert that RPM policy relaxation
> > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> > > in (f39) rawhide and align RPM security with the rest of the policy.
> > >
> > > Thoughts / feedback?
> >
> > I think it should be done as a system wide change so it can have the
> > appropriate review but it seems we're better off than we were.
>
> System-wide or self-contained?

System wide as it potentially affects ability to install 3rd party software.

> I'm not altering the system-wide default,
> I'm removing the exception that was limited to rpm/dnf in scope
> to bring them in line with system-wide default;
> but rpm/dnf are kinda important.
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-27 Thread Alexander Sosedkin 
On Tue, Sep 26, 2023 at 7:47 PM Peter Robinson  wrote:
>
> On Tue, Sep 19, 2023 at 10:20 AM Alexander Sosedkin
>  wrote:
> >
> > Hello,
> >
> > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
> > Long story short:
> > RPM has moved to sequoia,
> > sequoia has started respecting crypto-policies,
> > Google repos have been signed with a 1024-bit DSA key,
> > Google Chrome was not installable => F38 blocker.
> > Back at the time, it's been hastily "resolved"
> > by relaxing RPM security through crypto-policies
> > just enough to tolerate that Google signature:
> > https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
> >
> > Since then it has been brought to my attention that
> > Google has now added a 4096 bit RSA key
> > https://www.google.com/linuxrepositories/
> > (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
> >
> > Because of that, I'd like to revert that RPM policy relaxation
> > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> > in (f39) rawhide and align RPM security with the rest of the policy.
> >
> > Thoughts / feedback?
>
> I think it should be done as a system wide change so it can have the
> appropriate review but it seems we're better off than we were.

System-wide or self-contained?
I'm not altering the system-wide default,
I'm removing the exception that was limited to rpm/dnf in scope
to bring them in line with system-wide default;
but rpm/dnf are kinda important.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-26 Thread Björn Persson 
Kevin Kofler via devel wrote:
> I am still opposed, because it is still a backwards-incompatible change that 
> breaks existing repositories (such as my Calcforge one)

Backwards-incompatible changes are often made far too nonchalantly.
This is not one of those cases. When it comes to cryptographic
algorithms, backwards-incompatible changes are necessary from time to
time. Cryptanalysis always progresses, and quantum computers loom at
the horizon. Secure algorithms do not remain secure (except for One-
Time Pad, which is mathematically proven but quite impractical).

Maybe there will some day be a set of cryptographic algorithms that are
mathematically proven to be secure for all eternity (and more practical
than One-Time Pad). Until that day comes, all software, including your
Calcforge repository, must be prepared to replace algorithms as needed.

> just so that someone can tick a checkbox on some "security" checklist.

As a packager you are responsible for all Fedora users' security. If
you behave as if security is nothing but a pointless checklist, then
you put all of our computers in jeopardy. An attacker who breaches
your computer will be able to inject malware into Fedora through your
packages. It is your duty to take security seriously as long as you
have commit privileges to any Fedora packages.

Björn Persson


pgpF1As1bgQjX.pgp
Description: OpenPGP digital signatur
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-26 Thread Kevin Fenzi 
On Tue, Sep 26, 2023 at 07:22:56PM +0200, Alexander Sosedkin wrote:
> 
> Whoa, that's too many, I suspect misreporting.

Could be. 

> I seriously doubt they were all really using DSA-1024 and switched over.
> But if that really was the case --- great job to all of them.
> 
> > The list from there:
> > Google Chrome (RPM signature rejected, repo key rejected)
> Repo has added RSA-4096, RPM is signed with SHA-512, installs
> 
> > Microsoft Edge (repo key rejected)
> RSA-2048, RPM is signed with SHA-256, installs
> 
> > Dropbox (repo key rejected)
> RSA-2048, RPM is signed with SHA-512
> 
> > Skype (repo key rejected)
> RSA-2048 / SHA-512
> 
> > Visual Studio Code (repo key rejected)
> RSA-2048 / SHA-256 (let's name a package `code`. outstanding move)
> 
> > Sublime Text (repo key rejected)
> RSA-4096 / SHA-256
> 
> > Microsoft Teams (repo key rejected)
> RSA-2048, but https://packages.microsoft.com/yumrepos/ms-teams/repodata
> looks barren
> 
> > TeamViewer (repo key rejected)
> RSA-4096 / SHA-256

Nice. 

Yeah, then it seems like this may well be a time to try again.

I look forward to the change.

kevin


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-26 Thread Gary Buhrmaster 
On Tue, Sep 26, 2023 at 5:40 PM Kevin Kofler via devel
 wrote:

> I am still opposed, because it is still a backwards-incompatible change that
> breaks existing repositories (such as my Calcforge one) just so that someone
> can tick a checkbox on some "security" checklist.

Are you saying you need assistance to generate
modern keys?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-26 Thread Peter Robinson 
On Tue, Sep 19, 2023 at 10:20 AM Alexander Sosedkin
 wrote:
>
> Hello,
>
> 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
> Long story short:
> RPM has moved to sequoia,
> sequoia has started respecting crypto-policies,
> Google repos have been signed with a 1024-bit DSA key,
> Google Chrome was not installable => F38 blocker.
> Back at the time, it's been hastily "resolved"
> by relaxing RPM security through crypto-policies
> just enough to tolerate that Google signature:
> https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
>
> Since then it has been brought to my attention that
> Google has now added a 4096 bit RSA key
> https://www.google.com/linuxrepositories/
> (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
>
> Because of that, I'd like to revert that RPM policy relaxation
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> in (f39) rawhide and align RPM security with the rest of the policy.
>
> Thoughts / feedback?

I think it should be done as a system wide change so it can have the
appropriate review but it seems we're better off than we were.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-26 Thread Peter Robinson 
On Tue, Sep 26, 2023 at 6:23 PM Alexander Sosedkin  wrote:
>
> On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi  wrote:
> >
> > On Tue, Sep 19, 2023 at 11:19:18AM +0200, Alexander Sosedkin wrote:
> > > Hello,
> > >
> > > 6 months ago, there's been a F38 blocker: 
> > > https://pagure.io/fesco/issue/2960
> > > Long story short:
> > > RPM has moved to sequoia,
> > > sequoia has started respecting crypto-policies,
> > > Google repos have been signed with a 1024-bit DSA key,
> > > Google Chrome was not installable => F38 blocker.
> > > Back at the time, it's been hastily "resolved"
> > > by relaxing RPM security through crypto-policies
> > > just enough to tolerate that Google signature:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
> > >
> > > Since then it has been brought to my attention that
> > > Google has now added a 4096 bit RSA key
> > > https://www.google.com/linuxrepositories/
> > > (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
> > >
> > > Because of that, I'd like to revert that RPM policy relaxation
> > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> > > in (f39) rawhide and align RPM security with the rest of the policy.
> > >
> > > Thoughts / feedback?
> >
> > It might be good to go through all the ones that were hit by this (it
> > wasn't just chrome) and indicate if they are now fixed.
> > You can see a partial list in the common bug:
> >
> > https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498
> >
> > and in the discussion off it.
>
> Whoa, that's too many, I suspect misreporting.
> I seriously doubt they were all really using DSA-1024 and switched over.
> But if that really was the case --- great job to all of them.
>
> > The list from there:
> > Google Chrome (RPM signature rejected, repo key rejected)
> Repo has added RSA-4096, RPM is signed with SHA-512, installs
>
> > Microsoft Edge (repo key rejected)
> RSA-2048, RPM is signed with SHA-256, installs
>
> > Dropbox (repo key rejected)
> RSA-2048, RPM is signed with SHA-512
>
> > Skype (repo key rejected)
> RSA-2048 / SHA-512
>
> > Visual Studio Code (repo key rejected)
> RSA-2048 / SHA-256 (let's name a package `code`. outstanding move)
>
> > Sublime Text (repo key rejected)
> RSA-4096 / SHA-256
>
> > Microsoft Teams (repo key rejected)
> RSA-2048, but https://packages.microsoft.com/yumrepos/ms-teams/repodata
> looks barren

I believe MS has end of life the dedicated Linux Teams app and
possibly viewer and only support the web app now.

> > TeamViewer (repo key rejected)
> RSA-4096 / SHA-256
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-26 Thread Kevin Kofler via devel 
Alexander Sosedkin wrote:
> Because of that, I'd like to revert that RPM policy relaxation
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> in (f39) rawhide and align RPM security with the rest of the policy.
>  
> Thoughts / feedback?

I am still opposed, because it is still a backwards-incompatible change that 
breaks existing repositories (such as my Calcforge one) just so that someone 
can tick a checkbox on some "security" checklist.

Kevin Kofler
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-26 Thread Alexander Sosedkin 
On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi  wrote:
>
> On Tue, Sep 19, 2023 at 11:19:18AM +0200, Alexander Sosedkin wrote:
> > Hello,
> >
> > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
> > Long story short:
> > RPM has moved to sequoia,
> > sequoia has started respecting crypto-policies,
> > Google repos have been signed with a 1024-bit DSA key,
> > Google Chrome was not installable => F38 blocker.
> > Back at the time, it's been hastily "resolved"
> > by relaxing RPM security through crypto-policies
> > just enough to tolerate that Google signature:
> > https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
> >
> > Since then it has been brought to my attention that
> > Google has now added a 4096 bit RSA key
> > https://www.google.com/linuxrepositories/
> > (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
> >
> > Because of that, I'd like to revert that RPM policy relaxation
> > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> > in (f39) rawhide and align RPM security with the rest of the policy.
> >
> > Thoughts / feedback?
>
> It might be good to go through all the ones that were hit by this (it
> wasn't just chrome) and indicate if they are now fixed.
> You can see a partial list in the common bug:
>
> https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498
>
> and in the discussion off it.

Whoa, that's too many, I suspect misreporting.
I seriously doubt they were all really using DSA-1024 and switched over.
But if that really was the case --- great job to all of them.

> The list from there:
> Google Chrome (RPM signature rejected, repo key rejected)
Repo has added RSA-4096, RPM is signed with SHA-512, installs

> Microsoft Edge (repo key rejected)
RSA-2048, RPM is signed with SHA-256, installs

> Dropbox (repo key rejected)
RSA-2048, RPM is signed with SHA-512

> Skype (repo key rejected)
RSA-2048 / SHA-512

> Visual Studio Code (repo key rejected)
RSA-2048 / SHA-256 (let's name a package `code`. outstanding move)

> Sublime Text (repo key rejected)
RSA-4096 / SHA-256

> Microsoft Teams (repo key rejected)
RSA-2048, but https://packages.microsoft.com/yumrepos/ms-teams/repodata
looks barren

> TeamViewer (repo key rejected)
RSA-4096 / SHA-256
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-26 Thread Alexander Sosedkin 
On Tue, Sep 19, 2023 at 12:44 PM Miroslav Suchý  wrote:
>
> Dne 19. 09. 23 v 11:19 Alexander Sosedkin napsal(a):
> > Because of that, I'd like to revert that RPM policy relaxation
> > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> >  in (f39)
> > rawhide and align RPM security with the rest of the policy. Thoughts / 
> > feedback?
>
> You can try to load the keys from this collection under the tightened policy:
>
> https://github.com/xsuchy/distribution-gpg-keys/

Awesome suggestion, sorry it took me so long to get back to you.

I'm pleased to see that DSA looks dead:
* adobe/RPM-GPG-KEY-adobe-linux: 2007-02-28 - inf
* calcforge/RPM-GPG-KEY-calcforge: 2007-03-30 - inf
* centos/RPM-GPG-KEY-CentOS-5: 2007-01-06 - 2017-01-03 expired
* datto/DATTO-LEGACYDIST-PKGS-GPG-KEY: 2016-02-29 - inf
* dell/public.key: 2001-04-16 - inf
* epel/217521F6.txt: 2007-03-02 - 2017-02-27 expired
* epel/RPM-GPG-KEY-EPEL-5: 2007-03-02 - 2017-02-27 expired
* fedora/RPM-GPG-KEY-fedora-10-primary: 2008-08-27 - inf
* fedora/RPM-GPG-KEY-fedora-10-testing: 2008-08-27 - inf
* fedora/RPM-GPG-KEY-fedora-14-s390x: 2010-12-23 - inf
* fedora/RPM-GPG-KEY-fedora-8-9-primary: 2008-08-27 - inf
* fedora/RPM-GPG-KEY-fedora-8-9-testing: 2008-08-27 - inf
* google/linux_signing_key.pub: - has RSA-4096 now as well
* jenkins/0x9b7d32f2d50582e6.key: 2009-02-01 - inf (repo has a 2023 version)
* jpackage/jpackage.asc: 2002-10-22 - inf
* mariadb/RPM-GPG-KEY-MariaDB: 2010-02-02 - inf
* mysql/RPM-GPG-KEY-mysql: 2003-02-03 2013-09-18 - 2022-02-16 expired
  (repo has newer ones in the same directory)
* oraclelinux/RPM-GPG-KEY-oracle-el4: 2006-09-05 - 2011-09-04 expired
* oraclelinux/RPM-GPG-KEY-oracle-el5: 2007-05-18 - 2015-05-16 expired
* postgresql/RPM-GPG-KEY-PGDG: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-10: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-84: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-90: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-91: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-92: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-93: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-94: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-95: 2008-01-08 - inf
* postgresql/RPM-GPG-KEY-PGDG-96: 2008-01-08 - inf
* redhat/RPM-GPG-KEY-redhat5-auxiliary: 2006-12-01 - inf
* redhat/RPM-GPG-KEY-redhat5-beta: 2002-03-15 - inf
* redhat/RPM-GPG-KEY-redhat5-former: 1999-09-23 - inf
* redhat/RPM-GPG-KEY-redhat5-release: 2006-12-06 - inf
* redhat/RPM-GPG-KEY-redhat5-rhx: 2007-04-17 - inf
* redhat/RPM-GPG-KEY-redhat6-beta: 2002-03-15 2009-02-24 - inf
* redhat/RPM-GPG-KEY-redhat6-legacy-former: 1999-09-23 - inf
* redhat/RPM-GPG-KEY-redhat6-legacy-release: 2006-12-06 - inf
* redhat/RPM-GPG-KEY-redhat6-legacy-rhx: 2007-04-17 - inf
* redhat/RPM-GPG-KEY-redhat6-release: has RSA-4096 as well
* redhat/RPM-GPG-KEY-redhat8-release: has RSA-4096 as well
* remi/RPM-GPG-KEY-remi: 2005-04-21 - inf (repo has newer ones)
* rpmfusion/RPM-GPG-KEY-rpmfusion-free-el-5: 2008-07-12 - inf
* rpmfusion/RPM-GPG-KEY-rpmfusion-nonfree-el-5: 2008-07-12 - inf
* scientific-linux/RPM-GPG-KEY-sl: 2009-07-10 - inf (repo has newer ones)
* smeserver/RPM-GPG-KEY-SMEServer: 2005-09-30 - inf (repo has newer ones)
* suse/RPM-GPG-KEY-SuSE-SLE-10: 2000-10-19 - 2022-03-14 expired (repo
has newer ones)
* virtualbox/oracle_vbox.asc: 2010-05-18 - inf (repo has newer ones)

If that repo's representative of the real world situation, I declare
the world ready.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-19 Thread Kevin Fenzi 
On Tue, Sep 19, 2023 at 11:19:18AM +0200, Alexander Sosedkin wrote:
> Hello,
> 
> 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
> Long story short:
> RPM has moved to sequoia,
> sequoia has started respecting crypto-policies,
> Google repos have been signed with a 1024-bit DSA key,
> Google Chrome was not installable => F38 blocker.
> Back at the time, it's been hastily "resolved"
> by relaxing RPM security through crypto-policies
> just enough to tolerate that Google signature:
> https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
> 
> Since then it has been brought to my attention that
> Google has now added a 4096 bit RSA key
> https://www.google.com/linuxrepositories/
> (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
> 
> Because of that, I'd like to revert that RPM policy relaxation
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> in (f39) rawhide and align RPM security with the rest of the policy.
> 
> Thoughts / feedback?

It might be good to go through all the ones that were hit by this (it
wasn't just chrome) and indicate if they are now fixed.
You can see a partial list in the common bug: 

https://discussion.fedoraproject.org/t/popular-third-party-rpms-fail-to-install-update-remove-due-to-security-policies-verification/70498

and in the discussion off it. 

The list from there:

Google Chrome (RPM signature rejected, repo key rejected)
Microsoft Edge (repo key rejected)
Dropbox (repo key rejected)
Skype (repo key rejected)
Visual Studio Code (repo key rejected)
Sublime Text (repo key rejected)
Microsoft Teams (repo key rejected)
TeamViewer (repo key rejected)

kevin


signature.asc
Description: PGP signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-19 Thread Miroslav Suchý 

Dne 19. 09. 23 v 11:19 Alexander Sosedkin napsal(a):
Because of that, I'd like to revert that RPM policy relaxation 
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5 in (f39) 
rawhide and align RPM security with the rest of the policy. Thoughts / feedback?


You can try to load the keys from this collection under the tightened policy:

https://github.com/xsuchy/distribution-gpg-keys/

--
Miroslav Suchy, RHCA
Red Hat, Manager, Packit and CPT, #brno, #fedora-buildsys
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Intention to tighten RPM crypto-policy back

2023-09-19 Thread Alexander Sosedkin 
On Tue, Sep 19, 2023 at 11:19 AM Alexander Sosedkin
 wrote:
>
> Hello,
>
> 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
> Long story short:
> RPM has moved to sequoia,
> sequoia has started respecting crypto-policies,
> Google repos have been signed with a 1024-bit DSA key,
> Google Chrome was not installable => F38 blocker.
> Back at the time, it's been hastily "resolved"
> by relaxing RPM security through crypto-policies
> just enough to tolerate that Google signature:
> https://bugzilla.redhat.com/show_bug.cgi?id=2170878
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129
>
> Since then it has been brought to my attention that
> Google has now added a 4096 bit RSA key
> https://www.google.com/linuxrepositories/
> (EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)
>
> Because of that, I'd like to revert that RPM policy relaxation
> https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
> in (f39) rawhide and align RPM security with the rest of the policy.

Correction, f40 rawhide.

> Thoughts / feedback?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Intention to tighten RPM crypto-policy back

2023-09-19 Thread Alexander Sosedkin 
Hello,

6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960
Long story short:
RPM has moved to sequoia,
sequoia has started respecting crypto-policies,
Google repos have been signed with a 1024-bit DSA key,
Google Chrome was not installable => F38 blocker.
Back at the time, it's been hastily "resolved"
by relaxing RPM security through crypto-policies
just enough to tolerate that Google signature:
https://bugzilla.redhat.com/show_bug.cgi?id=2170878
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/129

Since then it has been brought to my attention that
Google has now added a 4096 bit RSA key
https://www.google.com/linuxrepositories/
(EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796)

Because of that, I'd like to revert that RPM policy relaxation
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5
in (f39) rawhide and align RPM security with the rest of the policy.

Thoughts / feedback?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue