|StrongCryptoSettings3 Test Day|
|Time||9:00 - 20:00 CEST|
What to test?
This Test Day will focus on the upcoming (in F38-F39) tightening of crypto-policies: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:
- Development - Alexander Sosedkin (asosedkin), Clemens Lang (neverpanic)
- Quality Assurance - Sumantro Mukherjee (sumantrom), Geoffrey Marr (coremodule), Kamil Paral (kparal), Adam Williamson (adamw), Thomas Garai (tcg121268),
You can chat with us on IRC. See the infobox on top of the page to learn the right IRC channel.
Prerequisite for Test Day
- Your existing, daily driver Fedora 36+ setup.
This one would be slightly unconventional because the change is testable from the existing Fedora 36+ setups and I aim to identify as many workflows it could break as possible, meaning that I'd very much like the users to experiment by trying it on their existing cozy diverse setups riddled with esoteric workflows and not on pristine clean fresh installs.
How to test?
Broadly speaking, I have three testing strategies to offer:
update-crypto-policies --set TEST-FEDORA39, continue using the system and note what breaks
update-crypto-policies --set FUTURE for those who get bored and want to discover more problems
https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer tool that reports less issues, but provides the safest, extremely non-invasive approach for spotting a subset of the problematic scenarios since it only logs, not blocks SHA-1 signature usage in openssl
I don't have a good pre-set guidance of what exactly to test beyond the very basic suggestions of "update dnf metadata", "connect to VPNs if you use any", "fetch your email" and "try to identify something else you use that relies on cryptography". The most walked roads should probably be clear already, it's your imagination and exotic setups that I'm after.
All bugs should be reported into Bugzilla, against the component that relies on to-be-deprecated cryptographic operations. It's likely that you'll be unsure about what exactly would break, so let's investigate together on IRC (see instructions above).
After we confirm that it's indeed a bug triggered by the new change (by switching back and forth between policies and ensuring it's not present under DEFAULT), please file a ticket with a title starting with
StrongCryptoSettings3: and link to https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2.