Re: Intention to tighten RPM crypto-policy back

On Fri, Oct 06, 2023 at 01:09:08PM +0200, Petr Pisar wrote: > > These Fedora Project keys distribute in > are also affected: > > $ gpg --list-keys 6A2FAEA2352C64E5 > pub rsa4096 2013-12-16 [SCE] > 91E97D7C4A5E96F17F3E888F6A2FAEA2352C64E5 > uid

Re: Intention to tighten RPM crypto-policy back

V Fri, Oct 06, 2023 at 12:53:23PM +0200, Kamil Paral napsal(a): > On Tue, Sep 26, 2023 at 7:23 PM Alexander Sosedkin > wrote: > > > On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi wrote: > > > It might be good to go through all the ones that were hit by this (it > > > wasn't just chrome) and

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 26, 2023 at 7:23 PM Alexander Sosedkin wrote: > On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi wrote: > > It might be good to go through all the ones that were hit by this (it > > wasn't just chrome) and indicate if they are now fixed. > > You can see a partial list in the common bug:

Re: Intention to tighten RPM crypto-policy back

Hi, > On 28. Sep 2023, at 14:06, Panu Matilainen wrote: > > On 9/27/23 20:37, Alexander Sosedkin wrote: >> >> In fact, even Chrome can't be installed with the change properly reverted. >> Guess I'll have to shelve the wide discussion for a while, we aren't ready. >> =( > > AIUI the current

Re: Intention to tighten RPM crypto-policy back

On 9/27/23 20:37, Alexander Sosedkin wrote: On Tue, Sep 19, 2023 at 11:19 AM Alexander Sosedkin wrote: Hello, 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 Long story short: RPM has moved to sequoia, sequoia has started respecting crypto-policies, Google repos

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 19, 2023 at 11:19 AM Alexander Sosedkin wrote: > > Hello, > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 > Long story short: > RPM has moved to sequoia, > sequoia has started respecting crypto-policies, > Google repos have been signed with a 1024-bit

Re: Intention to tighten RPM crypto-policy back

On Wed, Sep 27, 2023 at 2:38 PM Stephen Gallagher wrote: > > On Wed, Sep 27, 2023 at 7:06 AM Alexander Sosedkin > wrote: > ... > > Feel free to strike down these proposals > > using whatever mechanisms Fedora governance offers. > > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3 >

Re: Intention to tighten RPM crypto-policy back

On Wed, Sep 27, 2023 at 7:06 AM Alexander Sosedkin wrote: ... > Feel free to strike down these proposals > using whatever mechanisms Fedora governance offers. > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3 > rejection suggests they do work. To be clear, that one was rejected

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 26, 2023 at 7:40 PM Kevin Kofler via devel wrote: > > Alexander Sosedkin wrote: > > Because of that, I'd like to revert that RPM policy relaxation > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5 > > in (f39) rawhide and

Re: Intention to tighten RPM crypto-policy back

On Wed, Sep 27, 2023 at 11:04 AM Alexander Sosedkin wrote: > > On Tue, Sep 26, 2023 at 7:47 PM Peter Robinson wrote: > > > > On Tue, Sep 19, 2023 at 10:20 AM Alexander Sosedkin > > wrote: > > > > > > Hello, > > > > > > 6 months ago, there's been a F38 blocker: > > >

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 26, 2023 at 7:47 PM Peter Robinson wrote: > > On Tue, Sep 19, 2023 at 10:20 AM Alexander Sosedkin > wrote: > > > > Hello, > > > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 > > Long story short: > > RPM has moved to sequoia, > > sequoia has started

Re: Intention to tighten RPM crypto-policy back

Kevin Kofler via devel wrote: > I am still opposed, because it is still a backwards-incompatible change that > breaks existing repositories (such as my Calcforge one) Backwards-incompatible changes are often made far too nonchalantly. This is not one of those cases. When it comes to

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 26, 2023 at 07:22:56PM +0200, Alexander Sosedkin wrote: > > Whoa, that's too many, I suspect misreporting. Could be. > I seriously doubt they were all really using DSA-1024 and switched over. > But if that really was the case --- great job to all of them. > > > The list from

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 26, 2023 at 5:40 PM Kevin Kofler via devel wrote: > I am still opposed, because it is still a backwards-incompatible change that > breaks existing repositories (such as my Calcforge one) just so that someone > can tick a checkbox on some "security" checklist. Are you saying you need

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 19, 2023 at 10:20 AM Alexander Sosedkin wrote: > > Hello, > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 > Long story short: > RPM has moved to sequoia, > sequoia has started respecting crypto-policies, > Google repos have been signed with a 1024-bit

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 26, 2023 at 6:23 PM Alexander Sosedkin wrote: > > On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi wrote: > > > > On Tue, Sep 19, 2023 at 11:19:18AM +0200, Alexander Sosedkin wrote: > > > Hello, > > > > > > 6 months ago, there's been a F38 blocker: > > >

Re: Intention to tighten RPM crypto-policy back

Alexander Sosedkin wrote: > Because of that, I'd like to revert that RPM policy relaxation > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5 > in (f39) rawhide and align RPM security with the rest of the policy. > > Thoughts / feedback?

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 19, 2023 at 7:47 PM Kevin Fenzi wrote: > > On Tue, Sep 19, 2023 at 11:19:18AM +0200, Alexander Sosedkin wrote: > > Hello, > > > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 > > Long story short: > > RPM has moved to sequoia, > > sequoia has started

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 19, 2023 at 12:44 PM Miroslav Suchý wrote: > > Dne 19. 09. 23 v 11:19 Alexander Sosedkin napsal(a): > > Because of that, I'd like to revert that RPM policy relaxation > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5 > > in

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 19, 2023 at 11:19:18AM +0200, Alexander Sosedkin wrote: > Hello, > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 > Long story short: > RPM has moved to sequoia, > sequoia has started respecting crypto-policies, > Google repos have been signed with a

Re: Intention to tighten RPM crypto-policy back

Dne 19. 09. 23 v 11:19 Alexander Sosedkin napsal(a): Because of that, I'd like to revert that RPM policy relaxation https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/commit/a12f7b20638be8f872ad1995c7d2edce41c227b5 in (f39) rawhide and align RPM security with the rest of the policy.

Re: Intention to tighten RPM crypto-policy back

On Tue, Sep 19, 2023 at 11:19 AM Alexander Sosedkin wrote: > > Hello, > > 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 > Long story short: > RPM has moved to sequoia, > sequoia has started respecting crypto-policies, > Google repos have been signed with a 1024-bit

Intention to tighten RPM crypto-policy back

Hello, 6 months ago, there's been a F38 blocker: https://pagure.io/fesco/issue/2960 Long story short: RPM has moved to sequoia, sequoia has started respecting crypto-policies, Google repos have been signed with a 1024-bit DSA key, Google Chrome was not installable => F38 blocker. Back at the