Bug 2034631

Summary: Switch GnuTLS to allowlisting
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Alexander Sosedkin <asosedki>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: bcotton, dueno
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 14:41:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2041722    
Bug Blocks: 1982279    

Description Ben Cotton 2021-12-21 14:54:35 UTC 
This is a tracking bug for Change: Switch GnuTLS to allowlisting
For more details, see: https://fedoraproject.org/wiki/Changes/GnutlsAllowlisting

Presently, crypto-policies controls GnuTLS in a way that "hard-disables" select algorithms, leaving no option for the applications using GnuTLS to reenable said algorithms back. We propose switching to more future-proof allowlisting-based configuration method and offering API within GnuTLS to loosen the system defaults for specific processes.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Comment 1 Ben Cotton 2022-02-08 21:07:23 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 36 development cycle.
Changing version to 36.
Comment 2 Ben Cotton 2022-02-08 21:15:06 UTC 
Today we reached the Code Complete (testable) milestone in the F36 schedule: https://fedorapeople.org/groups/schedule/f-36/f-36-key-tasks.html

All code for this change should be complete enough for testing. You can indicate this by setting the bug status to MODIFIED. (If the code is fully complete, you can go ahead and set it to ON_QA.)

If you need to defer this Change to F37, please needinfo bcotton.
Comment 3 Alexander Sosedkin 2022-02-09 10:25:49 UTC 
Apologies for not being transparent enough about the rollout status.

The changes have landed in rawhide as
first gnutls-3.7.3-1.fc36,
then crypto-policies-20220119-1.git50109e7.fc36,
completing the switch 20 days ago.

If there's some other place where this info should be posted,
please tell me or do that directly if you wish.

Judging by the low volume of bug reports, the switch went rather smoothly
(as in, I didn't break wget google.com like I did in bz1979200).
There were some follow-up fixes based on private communication reports since then,
but nothing too disruptive or major has cropped up so far.
I'd assess the risk of us backing out and deferring as very low.
Comment 4 Ben Cotton 2022-05-10 14:41:45 UTC 
F36 was released today. If this Change did not land in the release, please notify bcotton as soon as possible.