On Wed, 5 Feb 2025 at 05:36, Zoltán Böszörményi <[email protected]> wrote: > Also ship a crypto policy file which is used to validate > signing keys. > .../rpm-sequoia/rpm-sequoia.config | 51 ++ > +++ b/meta/recipes-devtools/rpm-sequoia/rpm-sequoia/rpm-sequoia.config > @@ -0,0 +1,51 @@ > +[hash_algorithms] > +md5.collision_resistance = "never" > +md5.second_preimage_resistance = "never" > +sha1.collision_resistance = "always" > +sha1.second_preimage_resistance = "always" > +ripemd160.collision_resistance = "never" > +ripemd160.second_preimage_resistance = "never" > +sha224.collision_resistance = "always" > +sha224.second_preimage_resistance = "always" > +sha256.collision_resistance = "always" > +sha256.second_preimage_resistance = "always" > +sha384.collision_resistance = "always" > +sha384.second_preimage_resistance = "always" > +sha512.collision_resistance = "always" > +sha512.second_preimage_resistance = "always" > +default_disposition = "never" > + > +[symmetric_algorithms] > +idea = "never" > +tripledes = "never" > +cast5 = "never" > +blowfish = "never" > +aes128 = "always" > +aes192 = "never" > +aes256 = "always" > +twofish = "never" > +camellia128 = "always" > +camellia192 = "never" > +camellia256 = "always" > +default_disposition = "never" > + > +[asymmetric_algorithms] > +rsa1024 = "never" > +rsa2048 = "always" > +rsa3072 = "always" > +rsa4096 = "always" > +dsa1024 = "always" > +dsa2048 = "always" > +dsa3072 = "always" > +dsa4096 = "always" > +nistp256 = "always" > +nistp384 = "always" > +nistp521 = "always" > +cv25519 = "always" > +elgamal1024 = "never" > +elgamal2048 = "never" > +elgamal3072 = "never" > +elgamal4096 = "never" > +brainpoolp256 = "never" > +brainpoolp512 = "never" > +default_disposition = "never"
You need to very clearly explain how this was created (or where it was copied from), and how it should be kept up to date. Either in the file itself, or in the recipe that includes it. Otherwise it's a 'magic file' that no one knows how to maintain. Hardcoded lists of crypto algorithms are notoriously prone to becoming outdated, insecure, or both. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#210841): https://lists.openembedded.org/g/openembedded-core/message/210841 Mute This Topic: https://lists.openembedded.org/mt/111007197/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
