Re: Fedora Copr builders updated to Fedora 38

Wed, 14 Jun 2023 01:12:52 -0700 

On 6/14/23 11:02, Pavel Raiskup wrote:

On úterý 13. června 2023 16:57:42 CEST Neal H. Walfield wrote:

On Thu, 08 Jun 2023 21:37:09 +0200,
Ondřej Budai wrote:

RPM Sequoia's crypto policies can be configured, so you should be able to 
re-enable SHA-1. However, this would
be a global change, not only for EL6... See
https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/#hash-functions
...
On Thu, Jun 8, 2023 at 5:42 PM Pavel Raiskup <prais...@redhat.com> wrote:

  Hello maintainers!

  Copr builders have been updated to Fedora 38 today (some old builders
  might still be running F37 ATM, but when they finish the task(s) they
  work on, they will be deleted). Our testsuite is passing just fine, so
  you _should_ be fine too :-).  Please let us know if you have some
  troubles.

  There was one important change in Fedora 38 - RPM switched to the
  Sequoia crypto backend.  It refuses SHA-1 in crypto;  which basically
  disallows Mock to properly check EL6 GPG signatures.  To allow further
  builds, we switched to gpgcheck=0 for all epel-6 chroots.  If you know a
  better work-around, let me know.


I find this behavior surprising.  The default policy as set by
fedora-crypto-policies is for rpm-sequoia is to accept SHA-1 (and
DSA-1024, ...):

   
https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/master/policies/FEDORA38.pol#L75

What policy are you using?


The `DEFAULT:SHA1`, but it is weird - I can not reproduce the build
failure now.  Is something changing in the backgrounds?
There haven't been any related changes in the last couple of months (that I'm aware of), but it was different initially yes. 

        - Panu -

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to