On Tue, Mar 08, 2022 at 07:40:15PM +0100, Alexander Sosedkin wrote:
We've been disabling it in TLS, but its usage is much wider than
TLS.
The next agonizing step is to restrict its usage for signatures
on the cryptographic libraries level, with openssl being the scariest one.
Good news is, RHEL-9 is gonna lead the way
and thus will take a lot of the hits first.
Fedora doesn't have to pioneer it.
Bad news is, Fedora has to follow suit someday anyway,
and this brings me to how does one land such a change.
---
Fedora is a large distribution with short release cycles, and
the only realistic way to weed out its reliance on SHA-1 signatures
from all of its numerous dark corners is to break them.
Make creation and verification fail in default configuration.
But it's unreasonable to just wait for, say, Fedora 37 branch-off
and break it in Rawhide for Fedora 38.
The fallout will just be too big.
If RHEL-9 has lead the way, what are the stats for real world
RHEL impact ?
What is/was the absolute number of packages and % number of
packages from the RHEL distro that saw breakage ?
Such figures can give us a better idea of impact on Fedora
beyond "too big".
Assuming RHEL-9 has dealt with the problems, Fedora should
inherit those fixes, which gives us a good base for the most
commonly used / important packages in Fedora.
If the breakage % from RHEL was single digits, and those
were the most important packages to fix from Fedora's POV
too, then maybe the fall is not in fact "too big". It might
be sufficient to identify a few important remaining packages
to validate, and just accept the fallout for the remaining
less important packages in Fedora can be fixed after the
fact ?
IIUC we have a simple workaround of letting someone set the
crypto policies on their machine back to LEGACY still
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|