It appears that the policy updates that were done for sequoia-openpgp v2 landed only in rawhide but were not merged back to f42 or f41. This doesn't (yet) affect rpm-sequoia since I held off with updating it to 1.8+ in stable branches for now. But sq 1.3.0 *is* available across all branches of Fedora, so it's a bit broken with the current crypto policy. Reproducible: Always
Thank you for bringing this up. Unfortunately, crypto-policies does very much the opposite and tries to not update on stable Fedora at all, keeping a linear history. Though there we do need backports, so I'm working on that. Since you update stables uniformly, I'll aim to bring the configs to their current rawhide state, sans the PQ-by-default enablement.
> crypto-policies does very much the opposite and tries to not update on stable Fedora at all I agree that this makes sense for many things. I did the same for rpm-sequoia 1.8+. But sq 1.x were all backwards-compatible releases that didn't have user-facing breaking changes, so it made sense to update to sq 1.3 in stable branches too. Do you know whether backporting the rpm-sequoia changes to f42 and f41 include breaking changes to the policy that would *require* updating rpm-sequoia to v1.8+? If that is the case, then *only* updating the sequoia policy might make sense instead, and we can revisit updating the rpm-sequoia policy when / if ever abolutely necessary.
... crypto-policies-20250707-1.gitad370a8.fc42 is my f42 take on this, will do backporting to f41 next ...
> Do you know whether backporting the rpm-sequoia changes to f42 and f41 include breaking changes to the policy that would *require* updating rpm-sequoia to v1.8+? the changes 1. add algorithms and update ignore_invalid accordingly, so that should be fine 2. add a `[aead_algorithms]` section, but I think that's an old feature (2022 / sequoia-openpgp v1.11?)
FEDORA-2025-a2b8a15a8b (crypto-policies-20250707-1.git836bbee.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-a2b8a15a8b
Thank you - makes sense to me!
FEDORA-2025-a2b8a15a8b has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-a2b8a15a8b` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-a2b8a15a8b See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-a2b8a15a8b (crypto-policies-20250707-1.git836bbee.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.