Am 01.03.23 um 16:31 schrieb Adam Williamson:
On Tue, 2023-02-28 at 09:10 +0100, Ralf Corsépius wrote:
Hi,
on f38, I am unable to install any locally built package (signed with a
local key, I have been using for many years):
"Many years" is likely the problem. It's probably using SHA-1 or DSA.
See, for e.g.,
https://bugzilla.redhat.com/show_bug.cgi?id=2170878 . Those are now
known to be insecure.
That bug covers some awkward problems with widely-used third parties
still using insecure keys to sign their packages, which likely means
this will get put off (one way or another) to at least Fedora 39. But
for your own locally built packages, which are under your control, you
can solve it permanently right now: generate a new key using a secure
algorithm, and re-sign your packages with that.
What are people supposed to do?
See above.
Cf. the discussion on *-devel.
Due to this list not being open, I do not see any sense trying to
furtherly discussing this issue here.
Only one point concerning you and this list: It seems obvious to me,
this change was not tested at all. The effects of this change are
desasterous,
Ralf
_______________________________________________
test mailing list -- test@lists.fedoraproject.org
To unsubscribe send an email to test-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/test@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
