Hi Ben,

Ben Cotton <bcot...@redhat.com> wrote:

Within Fedora package set, this has no impact as everything is already
using sufficiently strong crypto. Third party repositories / packages
could be signed with insecure crypto, and those may require working
around with --nosignature. However this incidentally overlaps with
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2
which has effectively the same effect on rpm.

Note that the StrongCryptoSettings3Forewarning2 proposal recently failed to
gather enough votes to be accepted, so it will likely not be happening (or
not in this form) for Fedora 38.

Additionally, crypto-policies would have supported switching to LEGACY to
allow installation of non-conforming RPMs, so you should at least provide a
method to also install such old RPMs, ideally while still verifying the old
SHA-1 signature rather than ignoring it completely.


HTH,
Clemens

--
Clemens Lang
RHEL Crypto Team
Red Hat


_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to