Bug 2376813
| Summary: | merge sequoia / rpm-sequoia policy updates from rawhide to f42 and f41 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Fabio Valentini <decathorpe> |
| Component: | crypto-policies | Assignee: | Red Hat Crypto Team <crypto-team> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 42 | CC: | asosedki, crypto-team, luk.claes, rrelyea, tm |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | Flags: | fedora-admin-xmlrpc:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| URL: | https://gitlab.com/sequoia-pgp/user-documentation/-/issues/20 | ||
| Whiteboard: | |||
| Fixed In Version: | crypto-policies-20250707-1.git836bbee.fc41 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-07-13 02:58:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Fabio Valentini
2025-07-07 13:55:05 UTC
Thank you for bringing this up. Unfortunately, crypto-policies does very much the opposite and tries to not update on stable Fedora at all, keeping a linear history. Though there we do need backports, so I'm working on that. Since you update stables uniformly, I'll aim to bring the configs to their current rawhide state, sans the PQ-by-default enablement. > crypto-policies does very much the opposite and tries to not update on stable Fedora at all
I agree that this makes sense for many things. I did the same for rpm-sequoia 1.8+.
But sq 1.x were all backwards-compatible releases that didn't have user-facing breaking changes, so it made sense to update to sq 1.3 in stable branches too.
Do you know whether backporting the rpm-sequoia changes to f42 and f41 include breaking changes to the policy that would *require* updating rpm-sequoia to v1.8+? If that is the case, then *only* updating the sequoia policy might make sense instead, and we can revisit updating the rpm-sequoia policy when / if ever abolutely necessary.
... crypto-policies-20250707-1.gitad370a8.fc42 is my f42 take on this, will do backporting to f41 next ... > Do you know whether backporting the rpm-sequoia changes to f42 and f41 include breaking changes to the policy that would *require* updating rpm-sequoia to v1.8+?
the changes
1. add algorithms and update ignore_invalid accordingly, so that should be fine
2. add a `[aead_algorithms]` section, but I think that's an old feature (2022 / sequoia-openpgp v1.11?)
FEDORA-2025-a2b8a15a8b (crypto-policies-20250707-1.git836bbee.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-a2b8a15a8b Thank you - makes sense to me! FEDORA-2025-a2b8a15a8b has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-a2b8a15a8b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-a2b8a15a8b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-a2b8a15a8b (crypto-policies-20250707-1.git836bbee.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. |