> > That probably provides no material benefit for us. IRIX, AIX, and other
> > Unix-types are supported by community contributors. OS/2 support is
> > maintained _mostly_ out of tree, but we don't need to make their lives
> > considerably harder if we don't have to.
>
> It wouldn’t be a
> That probably provides no material benefit for us. IRIX, AIX, and other
> Unix-types are supported by community contributors. OS/2 support is
> maintained _mostly_ out of tree, but we don't need to make their lives
> considerably harder if we don't have to.
It wouldn’t be a regression,
> > > > > > > > Yes, this is a known - or not so well known - limitation. As
> > > > > > > > the signature check is basically done by hand it lack a lot of
> > > > > > > > feature one would expect of GPG proper.
> > > > > > >
> > > > > > >
> > > > > > > Can we (as an option) use a third-party
> > > > > > > Yes, this is a known - or not so well known - limitation. As the
> > > > > > > signature check is basically done by hand it lack a lot of
> > > > > > > feature one would expect of GPG proper.
> > > > > >
> > > > > >
> > > > > > Can we (as an option) use a third-party library,
> > @DemiMarie, is there any reason to use your lib instead of sequoia?
>
> Sequoia is GPL; not sure if this is a problem. I have no affiliation with
> rpgp; it is merely a Rust library I came across.
This is a problem, librpm is LGPL and we'd like to maintain that.
--
You are receiving this
> > > > > > Yes, this is a known - or not so well known - limitation. As the
> > > > > > signature check is basically done by hand it lack a lot of feature
> > > > > > one would expect of GPG proper.
> > > > >
> > > > >
> > > > > Can we (as an option) use a third-party library, such as
> > >
> > > > > Yes, this is a known - or not so well known - limitation. As the
> > > > > signature check is basically done by hand it lack a lot of feature
> > > > > one would expect of GPG proper.
> > > >
> > > >
> > > > Can we (as an option) use a third-party library, such as
> > > >
> @DemiMarie, is there any reason to use your lib instead of sequoia?
Sequoia is GPL; not sure if this is a problem. I have no affiliation with
rpgp; it is merely a Rust library I came across.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly
A knob that defaults to off would be fine.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1467#issuecomment-751378608___
> > > > > Besides the currently obsolete things, new things need to be built
> > > > > with the mindset that all crypto _will_ become obsolete over time,
> > > > > and avoid putting it into new places where it only gets in our way
> > > > > eventually.
> > > >
> > > >
> > > > I suggest
> > > > Yes, this is a known - or not so well known - limitation. As the
> > > > signature check is basically done by hand it lack a lot of feature one
> > > > would expect of GPG proper.
> > >
> > >
> > > Can we (as an option) use a third-party library, such as
> > > [rpgp](/rpgp/rpgp)?
> >
We probably would want this as a knob, because users can't help it if an RPM
uses those hash functions and they need to install it. Admittedly, I think
we've been using SHA256 digests since RPM 4.11 (RHEL7), but Enterprise Linux
distributions live a _long_ time. Defaulting to those being turned
> > > > Besides the currently obsolete things, new things need to be built with
> > > > the mindset that all crypto _will_ become obsolete over time, and avoid
> > > > putting it into new places where it only gets in our way eventually.
> > >
> > >
> > > I suggest avoiding algorithm agility as
@DemiMari, is there any reason to use your lib instead of sequoia?
>We can always detect at compile-time if the Rust library is available, and
>fall back to the built-in parser if it is not.
In runtime. By creating an abstraction layer, detecting the available libs and
then prioritizing more
> > > Yes, this is a known - or not so well known - limitation. As the
> > > signature check is basically done by hand it lack a lot of feature one
> > > would expect of GPG proper.
> >
> >
> > Can we (as an option) use a third-party library, such as [rpgp](/rpgp/rpgp)?
>
> Rust is not
That said, there are C libraries that we can use instead, such as the one used
by Thunderbird.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Hash functions with outputs smaller than 224 bits, and <2048 bit RSA and DSA
signatures, are not a good idea. RPM should refuse to rely on such algorithms
for security.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
17 matches
Mail list logo