From Fedora Project Wiki
m (→‎User Experience: fix wiki syntax)
 
(10 intermediate revisions by 2 users not shown)
Line 11: Line 11:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF38]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 17: Line 17:
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->


<!-- Select proper category, default is Self Contained Change -->
[[Category:SystemWideChange]]
[[Category:SelfContainedChange]]
<!-- [[Category:SystemWideChange]] -->


* Targeted release: [[Releases/38 | Fedora Linux 38 ]]  
* Targeted release: [[Releases/38 | Fedora Linux 38 ]]  
Line 29: Line 27:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/AT3C4FGYIJNSUNF4QEYYTQ6CWHHBECEX/ devel thread]
* Tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=2130122 <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2881 #2881]
* Release notes tracker: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2130122 #2130122]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/892 #892]


== Detailed Description ==
== Detailed Description ==
Line 53: Line 52:
** Help [https://bugzilla.redhat.com/show_bug.cgi?id=2087499 package/review rpm-sequoia]
** Help [https://bugzilla.redhat.com/show_bug.cgi?id=2087499 package/review rpm-sequoia]


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issue/11077 #11077]  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
 
* Policies and guidelines: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
Line 71: Line 67:
== User Experience ==
== User Experience ==
For normal usage, the change is quite invisible. The notable exceptions are
For normal usage, the change is quite invisible. The notable exceptions are
- Some old, insecure (MD5/SHA1 based) signatures are rejected.
* Some old, insecure (MD5/SHA1 based) signatures are rejected (this is in line with the stronger crypto settings proposed elsewhere for F38)
- Key import may accept some previously rejected keys, in part due to limitations of old parser etc but in particular, the old implementation verifies self-signatures at import time whereas Sequoia verifies them at time of use.
* Key import may accept some previously rejected keys, in part due to limitations of old parser etc but in particular, the old implementation verifies self-signatures at import time whereas Sequoia verifies them at time of use.
- Key import may reject some previously accepted keys due to better validation.
* Key import may reject some previously accepted keys due to better validation.


== Dependencies ==
== Dependencies ==

Latest revision as of 16:58, 28 February 2023

Rpm Sequoia

Summary

Change RPM to use Sequoia based OpenPGP parser instead of it's own, flawed and limited implementation.

Owner

Current status

Detailed Description

For the last 20 years or so, RPM has used a home-grown OpenPGP parser for dealing with keys and signatures. That parser is rather infamous for its limitations and flaws, and especially in recent years has proven a significant burden to RPM development. In order to improve security and free developer resources for dealing with RPM's "core business" instead, RPM upstream is in the process of deprecating the internal parser in favor of Sequoia PGP based solution written in Rust. At this point the change is mostly invisible in normal daily use.

Feedback

Benefit to Fedora

The main, direct benefit to Fedora is improved security and standards-compliance (RFC-4880) in one of the corner-stones of the whole distribution. Longer term, we can expect better error messages and other functional improvements regarding key and signature handling.

Scope

  • Release engineering: #11077
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

Within Fedora package set, this has no impact as everything is already using sufficiently strong crypto. Third party repositories / packages could be signed with insecure crypto, and those may require working around with --nosignature. However this incidentally overlaps with https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2 which has effectively the same effect on rpm.

How To Test

In general, normal rpm/dnf use provides sufficient test coverage. For more advanced testers: try signing and verifying with different keys and their subkeys, using different algorithms etc.

User Experience

For normal usage, the change is quite invisible. The notable exceptions are

  • Some old, insecure (MD5/SHA1 based) signatures are rejected (this is in line with the stronger crypto settings proposed elsewhere for F38)
  • Key import may accept some previously rejected keys, in part due to limitations of old parser etc but in particular, the old implementation verifies self-signatures at import time whereas Sequoia verifies them at time of use.
  • Key import may reject some previously accepted keys due to better validation.

Dependencies

The change introduces one new direct dependency: rpm-sequoia. The rpm-sequoia package also takes over other crypto besides OpenPGP, currently Sequoia uses nettle as its low-level crypto provider, but work is underway to support openssl in Sequoia, and the plan is to have Sequoia in Fedora use that once it becomes available. This plan has support of the crypto team.

Contingency Plan

  • Contingency mechanism: Revert back to the internal PGP parser
  • Contingency deadline: Beta release
  • Blocks release? No

Documentation

There's not much in the way of documentation as there's not much to document, except for the deprecation of the internal parser: https://github.com/rpm-software-management/rpm/issues/1935

rpm-sequoia build instructions can be found in https://github.com/rpm-software-management/rpm-sequoia/

Release Notes