Alexander Sosedkin <asosedkin(a)redhat.com> writes:
Daniel P. Berrangé <berrange(a)redhat.com> wrote:
> Perhaps a useful first step is to just modify the three main
> crypto libs (gnutls, openssl, and nss) to send a scary warnihg
> message to stderr/syslog any time they get use of SHA1 in a
> signature. Leave that active for a release cycle and see how
> many bug reports we get.
I left my crystal ball at home today,
but I don't need it to say it'd be ~0 bugs filed if we log to syslog
and ~3 if we log to stderr/stdout, all named
"$CRYPTOLIB has no business messing up my stderr/stdout",
It's clear you want SHA-1 gone, but the way you've written this maybe
isn't conveying what you wan, as it sounds like you're also unwilling to
process the bugs that result requesting its removal. (If you, who want
it gone, aren't willing to participate in that, why should maintainers
care?)
As I understood the proposal, it would be for the crypto lib to log a
message like:
[timestamp] /usr/bin/firefox used DEPRECATED SHA-1 invocation
This is similar to what happened for /var/run: sure, it was annoying to
basically everyone involved, but the bugs also went to the relevant
packages.
which we'll promptly close by reverting the changes.
I don't see why you'd do that instead of reassigning to the appropriate
packages or (better) helping them migrate.
Be well,
--Robbie