Obsolete crypto tags are gone from v6 packages in #3017 , what remains to be
done is disabling validation on those by default.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1292#issuecomment-2036758478
You are receiving this because
I'm not sure what you mean by that. At least with the openssl-backend, whatever
system policy is set is already honored - including FIPS, which in fact does
cause v3 (and pre 4.14 built packages too) to fail to install. People are
running into this quite a bit in RHEL 8.
--
You are receiving
@pmatilai Would a good first step be to make this subject to system security
policy?
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
Rpm v3 is 20 years obsolete, except nominally for LSB. For the cross-distro
compatibility none of *that* matters one iota's worth. The big joke with this
all is that *no rpm version* from the last 20 years produces output that is
actually compatible with LSB.
--
You are receiving this because
> But that's getting off track. The thing is, there can never be "only one" set
> of algorithms in rpm. The initial design did just that, and that's why we're
> still forced to deal with MD5 as a required field in packages produced a
> decade after MD5 was declared obsolete. The rpm lifespan
@pmatilai we can also drop support for *parsing* v3 packages, which will help
reduce our attack surface.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
Okay, in that case we agree :smile:
I think the "nice" way of killing v3 support is letting the obsolete crypto
those packages use make it effectively uninstallable due to being unverifiable.
That would actually already be the case, if it wasn't for the MD5
header+payload digest being the
> I don't remember anything in this regard in recent times. @Conan-Kudo , what
> are you referring to here?
Ah, I was mistaken, we haven't ripped out RPM v3 format support just yet, we
only deprecated it in ba385ec5b7f4340a4f9b6815efd0f1a9521a0b15. But removal of
LSB/v3 support is coming...
> It is important to recognize that security enhancements need to be balanced
> with usability and accessibility, otherwise nobody will use either for long.
> RPM has also been around for 25 years, and until _very_ recently, all RPMs
> produced in that timeframe were still accessible by the
> > > > > Besides the currently obsolete things, new things need to be built
> > > > > with the mindset that all crypto _will_ become obsolete over time,
> > > > > and avoid putting it into new places where it only gets in our way
> > > > > eventually.
> > > >
> > > >
> > > > I suggest
> > > > Besides the currently obsolete things, new things need to be built with
> > > > the mindset that all crypto _will_ become obsolete over time, and avoid
> > > > putting it into new places where it only gets in our way eventually.
> > >
> > >
> > > I suggest avoiding algorithm agility as
> > > Besides the currently obsolete things, new things need to be built with
> > > the mindset that all crypto _will_ become obsolete over time, and avoid
> > > putting it into new places where it only gets in our way eventually.
> >
> >
> > I suggest avoiding algorithm agility as much as
> > Besides the currently obsolete things, new things need to be built with the
> > mindset that all crypto _will_ become obsolete over time, and avoid putting
> > it into new places where it only gets in our way eventually.
>
> I suggest avoiding algorithm agility as much as possible. It is
> Besides the currently obsolete things, new things need to be built with the
> mindset that all crypto _will_ become obsolete over time, and avoid putting
> it into new places where it only gets in our way eventually.
I suggest avoiding algorithm agility as much as possible. It is great in
We need to come up with a plan how to deal with obsoleted crypto in rpm. MD5 is
practically gone long since and SHA1 is on its way out too, to the point that
it's not necessarily even possible to calculate these algorithms anymore (eg
MD5 on FIPS mode). Yet we still carry them in various
15 matches
Mail list logo