Bug 2034631 - Switch GnuTLS to allowlisting
Summary: Switch GnuTLS to allowlisting
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 36
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Alexander Sosedkin
QA Contact:
Depends On: 2041722
Blocks: F36Changes
TreeView+ depends on / blocked
Reported: 2021-12-21 14:54 UTC by Ben Cotton
Modified: 2022-05-10 14:41 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-05-10 14:41:45 UTC
Type: ---

Attachments (Terms of Use)

Description Ben Cotton 2021-12-21 14:54:35 UTC
This is a tracking bug for Change: Switch GnuTLS to allowlisting
For more details, see: https://fedoraproject.org/wiki/Changes/GnutlsAllowlisting

Presently, crypto-policies controls GnuTLS in a way that "hard-disables" select algorithms, leaving no option for the applications using GnuTLS to reenable said algorithms back. We propose switching to more future-proof allowlisting-based configuration method and offering API within GnuTLS to loosen the system defaults for specific processes.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.

Comment 1 Ben Cotton 2022-02-08 21:07:23 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 36 development cycle.
Changing version to 36.

Comment 2 Ben Cotton 2022-02-08 21:15:06 UTC
Today we reached the Code Complete (testable) milestone in the F36 schedule: https://fedorapeople.org/groups/schedule/f-36/f-36-key-tasks.html

All code for this change should be complete enough for testing. You can indicate this by setting the bug status to MODIFIED. (If the code is fully complete, you can go ahead and set it to ON_QA.)

If you need to defer this Change to F37, please needinfo bcotton.

Comment 3 Alexander Sosedkin 2022-02-09 10:25:49 UTC
Apologies for not being transparent enough about the rollout status.

The changes have landed in rawhide as
first gnutls-3.7.3-1.fc36,
then crypto-policies-20220119-1.git50109e7.fc36,
completing the switch 20 days ago.

If there's some other place where this info should be posted,
please tell me or do that directly if you wish.

Judging by the low volume of bug reports, the switch went rather smoothly
(as in, I didn't break wget google.com like I did in bz1979200).
There were some follow-up fixes based on private communication reports since then,
but nothing too disruptive or major has cropped up so far.
I'd assess the risk of us backing out and deferring as very low.

Comment 4 Ben Cotton 2022-05-10 14:41:45 UTC
F36 was released today. If this Change did not land in the release, please notify bcotton as soon as possible.

Note You need to log in before you can comment on or make changes to this bug.