F38 proposal: RPM Sequoia (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/RpmSequoia This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Change RPM to use [https://sequoia-pgp.org/ Sequoia] based OpenPGP parser instead of it's own, flawed and limited implementation. == Owner == * Name: [[User:pmatilai| Panu Matilainen]] * Email: pmati...@redhat.com == Detailed Description == For the last 20 years or so, RPM has used a home-grown OpenPGP parser for dealing with keys and signatures. That parser is rather infamous for its limitations and flaws, and especially in recent years has proven a significant burden to RPM development. In order to improve security and free developer resources for dealing with RPM's "core business" instead, RPM upstream is in the process of deprecating the internal parser in favor of [https://sequoia-pgp.org/ Sequoia PGP] based solution written in Rust. At this point the change is mostly invisible in normal daily use. == Feedback == == Benefit to Fedora == The main, direct benefit to Fedora is improved security and standards-compliance (RFC-4880) in one of the corner-stones of the whole distribution. Longer term, we can expect better error messages and other functional improvements regarding key and signature handling. == Scope == * Proposal owners: ** Help [https://bugzilla.redhat.com/show_bug.cgi?id=2087499 package/review rpm-sequoia] ** Build rpm with --with-crypto=sequoia ** Watch out for the unexpected * Other developers: ** Help [https://bugzilla.redhat.com/show_bug.cgi?id=2087499 package/review rpm-sequoia] * Release engineering: [https://pagure.io/releng/issue/11077 #11077] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: N/A == Upgrade/compatibility impact == Within Fedora package set, this has no impact as everything is already using sufficiently strong crypto. Third party repositories / packages could be signed with insecure crypto, and those may require working around with --nosignature. However this incidentally overlaps with https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2 which has effectively the same effect on rpm. == How To Test == In general, normal rpm/dnf use provides sufficient test coverage. For more advanced testers: try signing and verifying with different keys and their subkeys, using different algorithms etc. == User Experience == For normal usage, the change is quite invisible. The notable exceptions are - Some old, insecure (MD5/SHA1 based) signatures are rejected (this is in line with the stronger crypto settings proposed elsewhere for F38) - Key import may accept some previously rejected keys, in part due to limitations of old parser etc but in particular, the old implementation verifies self-signatures at import time whereas Sequoia verifies them at time of use. - Key import may reject some previously accepted keys due to better validation. == Dependencies == The change introduces one new direct dependency: [https://github.com/rpm-software-management/rpm-sequoia/ rpm-sequoia]. The rpm-sequoia package also takes over other crypto besides OpenPGP, currently Sequoia uses nettle as its low-level crypto provider, but work is underway to [https://gitlab.com/sequoia-pgp/sequoia/-/merge_requests/1361 support openssl in Sequoia], and the plan is to have Sequoia in Fedora use that once it becomes available. This plan [https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.org/message/EY5VVR2VPKSISHRANZTK2HYA6RP6345L/ has support of the crypto team]. == Contingency Plan == * Contingency mechanism: Revert back to the internal PGP parser * Contingency deadline: Beta release * Blocks release? No == Documentation == There's not much in the way of documentation as there's not much to document, except for the deprecation of the internal parser: https://github.com/rpm-software-management/rpm/issues/1935 rpm-sequoia build instructions can be found in https://github.com/rpm-software-management/rpm-sequoia/ == Release Notes == -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
** s390x builders Outage **
There is an ongoing BOS power outage impacting s390x builders. Reason for outage: Power outage in the DC -- Tomas Hrcka role: CPE Team - Senior Software Engineer fas: humaton freenode: jednorozec ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Orphaned packages looking for new maintainers
The following packages are orphaned and will be retired when they are orphaned for six weeks, unless someone adopts them. If you know for sure that the package should be retired, please do so now with a proper reason: https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life Note: If you received this mail directly you (co)maintain one of the affected packages or a package that depends on one. Please adopt the affected package or retire your depending package to avoid broken dependencies, otherwise your package will fail to install and/or build when the affected package gets retired. Request package ownership via the *Take* button in he left column on https://src.fedoraproject.org/rpms/ Full report available at: https://churchyard.fedorapeople.org/orphans-2022-10-10.txt grep it for your FAS username and follow the dependency chain. For human readable dependency chains, see https://packager-dashboard.fedoraproject.org/ For all orphaned packages, see https://packager-dashboard.fedoraproject.org/orphan Package (co)maintainers Status Change Falconorphan 1 weeks ago amora orphan 4 weeks ago blueberry nonamedotc, orphan, rathann 4 weeks ago brewtargetorphan 0 weeks ago capstone orphan, rebus, ret2libc 1 weeks ago containerdgo-sig, gotmax23, orphan 0 weeks ago csoundorphan 1 weeks ago espresso-ab avigne, orphan 5 weeks ago geompporphan 3 weeks ago geteltorito orphan 4 weeks ago giada orphan 3 weeks ago gimp-focusblur-plugin orphan 5 weeks ago gmqcc orphan 5 weeks ago golang-github-beevik-etreego-sig, mgoodwin, nathans, 2 weeks ago orphan golang-github-crewjam-httperr go-sig, mgoodwin, nathans, 2 weeks ago orphan golang-github-crewjam-samlgo-sig, mgoodwin, nathans, 2 weeks ago orphan golang-github-dchest-uniuri go-sig, mgoodwin, nathans, 2 weeks ago orphan golang-github-logr-stdr eclipseo, go-sig, orphan 2 weeks ago golang-github-magefile-mage go-sig, mgoodwin, nathans, 2 weeks ago orphan golang-github-russellhaering- go-sig, mgoodwin, nathans, 2 weeks ago goxmldsig orphan golang-github-timberio-datemath go-sig, mgoodwin, nathans, 2 weeks ago orphan golang-github-ua-parser-uap go-sig, mgoodwin, nathans, 2 weeks ago orphan hct avigne, orphan 5 weeks ago kelbt orphan 5 weeks ago llvm11.0 orphan, tstellar 0 weeks ago moby-engine go-sig, gotmax23, orphan 0 weeks ago monobristol orphan 5 weeks ago nautilus-search-tool orphan 3 weeks ago origingo-sig, orphan, tdawson 5 weeks ago owl-lisp huzaifas, orphan 4 weeks ago perl-Parse-Debian-Packagesorphan 5 weeks ago php-psr-http-client orphan 5 weeks ago pinpoint orphan 3 weeks ago pt-astra-sans-fontorphan 4 weeks ago pt-astra-serif-font orphan 4 weeks ago python-APSchedulerorphan, zuul 1 weeks ago python-PyRSS2Gen orphan 0 weeks ago python-cached_propertyadamwill, orphan 0 weeks ago python-charon orphan 2 weeks ago python-coreapiorphan 5 weeks ago python-coreschema orphan 5 weeks ago python-drf-yasg orphan 5 weeks ago python-hbmqtt orphan 3 weeks ago python-hs-dbus-signature ignatenkobrain, jbaublitz, 1 weeks
