Meeting started at 2024-06-25 17:01:13 UTC

The Meeting name is 'Fedora Meeting'

The Meeting Name is now fesco

Chairs: @conan_kudo:matrix.org, @ngompa:fedora.im, @nirik:matrix.scrye.com, @humaton:fedora.im, @zbyszek:fedora.im, @sgallagh:fedora.im, @jistone:fedora.im, @dcantrell:fedora.im, @decathorpe:fedora.im, @salimma:fedora.im

!hi

Tomáš Hrčka (humaton) - he / him / his

!hi

Zbigniew Jędrzejewski-Szmek (zbyszek)

!hi

Josh Stone (jistone) - he / him / his

morning

!hi

Fabio Valentini (decathorpe) - he / him / his

!hi

Stephen Gallagher (sgallagh) - he / him / his

!hi

Michel Lind (salimma) - he / him / his

Let's wait a sec more for Neal, since he voted negatively in the ticket.

!hi

David Cantrell (dcantrell) - he / him / his

What are some dns domains that use sha-1? I need an example for testing…

summoning Conan Kudo

ask Petr Mensik.

Unfortunately people still follow bad practice

Probably .vn

is this the right topic ?

The topic hasn't formally begun yet

* Meet Bot The Meeting Topic is now Init Process <- above

zbyszek: https://mailarchive.ietf.org/arch/msg/dnsop/HFg5PHXmCJ7Psz2jWmjyVRJmEWI/

lol @ Apple

I didn't do my homework for this one…

FWIW, I am +1 to this change...

So, just catch me up: is the ONLY reason we're considering not disabling SHA-1 because of these few DNSSEC domains?

yes

and it is not a good reason

can you add an info for the Change issue?

simo: I tend to agree. I just want to make sure there aren't other reasons I missed in the discussion somewhere

!fesco 3229

● **Assignee:** asosedkin

● **Last Updated:** 16 minutes ago

● **Opened:** 4 days ago by amoloney

**fesco #3229** (https://pagure.io/fesco/issue/3229):**Change: Make OpenSSL distrust SHA-1 signatures by default**

besides dns tools could technically re-enable sha-1 on their own, if *really* needed

jistone gave a cookie to kevin. They now have 680 cookies, 21 of which were obtained in the Fedora 40 release cycle

at this point I think no other important SHA1 users are left ... even the Google chrome RPM is now signed with non-sha1 too :O

there's an unanswered question of when runcp will be packaged - it's now in COPR

Does anyone know what runcp does under the hood?

we really MUST stop accepting signatures that use SHA-1 it is a liability, it takes not too much money to break them now, certainly nations tate actors can, but also some rich crooks

the change owners should know, right?

? a z80 simulator?

that's runcpm

I do not think runcp is a required dependency for this change, it is only a nice to have

I think it provides an alternate OpenSSL configuration for this and only this run of a particular application

runCP/M you mean?

nirik: it's mentioned in the change proposal - you can use it to run a single process under a different crypto policy

Proposal: Accept the Change and disallow SHA-1 by default. Mitigations exist for individual applications to re-enable it if absolutely necessary.

Yeah, but the problem in the past was that openssl wouldn't allow per-application configuration. So runcp provides that, but it sounds like it does in some strange fashion.

ah, I remember now... right

It does. OPENSSL_CONF env variable still works :)

zbyszek: it absically created an overlay container that changes cryptopolicies only for that app, and leaves all other namespaces sane

Stephen Gallagher +1

+1

Oh, bleh.

all recent builds of runcp have failed which is... not reassuring - https://copr.fedorainfracloud.org/coprs/asosedkin/crypto-policies-extras/package/crypto-policies-extras/

I fail to see how that's relevant: we're fine with exposing _all_ fedora users to SHA-1 attacks only because the few that need it can't be bothered to switch to LEGACY policy or would like ability to run one or two applications with specific policy??

Stephen Gallagher: +1

Michel Lind 🎩: as mentioned above it is only a nice-ti-have not a hard require

Stephen Gallagher: +1

also latest build of it failed only on one arch: ppc64le

fair. on further consideration given the small impact I think it's fine to change the default. but... just pointing out runcp as is _does not actually work_ even with the COPR

ah... only ppc. fun

I'm perfectly happy with disabling access to systems/software that are unwilling to follow good security practices.

oh it only fails for ppc64le only for c10s. I don't think we need to worry about that

Tally so far: Neal -1, Stephen,Fabio,me,Kevin +1

Josh +1

+1 from me

+1

knowing runcp uses an overlay container, I think I'm fine keeping it in COPR :P

Element puts so much vertical whitespace that doing a tally requires scrolling up two screens.

switch it to IRC mode :)

(use the IRC like appearance and smaller font :p)

nehko does a bit better

fractal does a lot worse. ;)

!fesco 3229

**fesco #3229** (https://pagure.io/fesco/issue/3229):**Change: Make OpenSSL distrust SHA-1 signatures by default**

● **Opened:** 4 days ago by amoloney

● **Last Updated:** 26 minutes ago

● **Assignee:** asosedkin

I forgot that line.

Thank you!

I will be away next week and cannot attend

🎆🍾🍾🍾

I'll also be away

and I will be away

Dmitry Belyavskiy++ thank you for joining

zbyszek gave a cookie to dbelyavs. They now have 3 cookies, 1 of which were obtained in the Fedora 40 release cycle

Next week is a US holiday, so it may be low attendance all-around

probibly me too.

I failed at matrixing :-)

Rather, next week *includes* a US holiday. Not Tuesday specifically

OK, that's four down, so let's drop the next meeting.

So any volunteers for two weeks from now? :---]

I can chair on the 9th

whatever this chat thing is called

or elementing?

Nothing is on fire?

No urgent complaints?

Amazingly, we came to a good choice on the new time

zbyszek don't jinx it

Yeah, having a meeting while the sun is still out is so refreshing.

just wait tho...

isn't this the old old meeting time from like 3 years ago?

it's lunchtime for me but having taken this meeting from Central Europe, the old meeting time is hell so... I'm happy to take lunch slightly late

OK, so let's wrap this up.

Thank y'all for coming.