Hi Leon,
On 24. Jun 2023, at 19:44, Leon Fauster via devel
<devel(a)lists.fedoraproject.org> wrote:
> I will also point out that CentOS Stream is perfectly suitable for
> production use, and I would argue it provides a differentiated
Nope, its not perfect for production use. Just an example of _many_:
https://bugzilla.redhat.com/show_bug.cgi?id=2184640
Apologies for this particular one. We thought we had everything covered in this area, but
we messed up and our tests didn’t catch this before it exploded into our faces. Rest
assured it wasn’t because we were trying to use the community as guinea pigs; we ourselves
were surprised by the fallout, and have been working internally with the maintainers of
our signing keys to get this resolved. That work is still ongoing, but we will probably
delay disabling SHA-1 in PGP use until CentOS Stream 10/RHEL 10.
--
Clemens Lang
RHEL Crypto Team
Red Hat