Hello, The bacula community repo currently signs their packages with a SHA1 key. SHA1 is deprecated in EL9 onwards, and poses a security risk that only increases over time.
Do the community package maintainers have any plans to update the package signing process to use a SHA256 or greater SHA cipher? This would be a good move for a project which positions itself in the enterprise software space. I appreciate that this change would entail change and difficulty, and that there might be some downsides for users of older bacula distributions, or for those who have previously installed bacula using an older key. I do not know if it is possible to sign a package with both the old SHA1 key and a newer SHA256+ key (I suspect not, but this isn't my field of expertise). Given that bacula 15.x is in beta, this might be a good time to sign the next 15.x release with a new SHA256+ key, so at least packages 15.x onwards are signed with a more secure cipher standard. Here is a brief writeup on the subject. I hope it is useful. https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9 Regards, Robert Gerber 402-237-8692 r...@craeon.net
_______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
