From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Thomas Lamprecht <t.lamprecht@proxmox.com>
Subject: Re: [pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow escape hatches for legacy repositories
Date: Thu, 06 Apr 2023 13:57:53 +0200 [thread overview]
Message-ID: <1680782145.6chqtnpke4.astroid@yuna.none> (raw)
In-Reply-To: <d18d36e3-5b22-0dd0-62cb-0be1f2094cb5@proxmox.com>
On April 6, 2023 1:23 pm, Thomas Lamprecht wrote:
> Am 04/04/2023 um 09:48 schrieb Fabian Grünbichler:
>> there are still repositories out there that are using things like DSA/RSA-1024
>> and SHA1, so let's allow POM users to opt into accepting those insecure
>> cryptographic parameters, but keep the default settings secure.
>>
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
>> ---
>> src/bin/proxmox-offline-mirror.rs | 2 +
>> src/bin/proxmox_offline_mirror_cmds/config.rs | 4 ++
>> src/config.rs | 42 ++++++++++++++++++-
>> src/helpers/verifier.rs | 20 ++++++++-
>> src/mirror.rs | 17 +++++++-
>> 5 files changed, 81 insertions(+), 4 deletions(-)
>>
>> diff --git a/src/bin/proxmox-offline-mirror.rs b/src/bin/proxmox-offline-mirror.rs
>> index 3af33bb..bec366a 100644
>> --- a/src/bin/proxmox-offline-mirror.rs
>> +++ b/src/bin/proxmox-offline-mirror.rs
>> @@ -423,6 +423,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
>> use_subscription: None,
>> ignore_errors: false,
>> skip,
>> + weak_crypto: None,
>> });
>> }
>> }
>> @@ -438,6 +439,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
>> use_subscription,
>> ignore_errors: false,
>> skip,
>> + weak_crypto: None,
>> };
>>
>> configs.push(main_config);
>> diff --git a/src/bin/proxmox_offline_mirror_cmds/config.rs b/src/bin/proxmox_offline_mirror_cmds/config.rs
>> index 3ebf4ad..696da11 100644
>> --- a/src/bin/proxmox_offline_mirror_cmds/config.rs
>> +++ b/src/bin/proxmox_offline_mirror_cmds/config.rs
>> @@ -274,6 +274,10 @@ pub fn update_mirror(
>> data.skip.skip_sections = Some(skip_sections);
>> }
>>
>> + if let Some(weak_crypto) = update.weak_crypto {
>> + data.weak_crypto = Some(weak_crypto);
>> + }
>> +
>> config.set_data(&id, "mirror", &data)?;
>> proxmox_offline_mirror::config::save_config(&config_file, &config)?;
>>
>> diff --git a/src/config.rs b/src/config.rs
>> index 39b1193..0e19c77 100644
>> --- a/src/config.rs
>> +++ b/src/config.rs
>> @@ -5,7 +5,7 @@ use lazy_static::lazy_static;
>> use proxmox_subscription::{sign::ServerBlob, SubscriptionInfo};
>> use serde::{Deserialize, Serialize};
>>
>> -use proxmox_schema::{api, ApiType, Schema, Updater};
>> +use proxmox_schema::{api, ApiStringFormat, ApiType, Schema, Updater};
>> use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
>> use proxmox_sys::fs::{replace_file, CreateOptions};
>>
>> @@ -46,6 +46,38 @@ pub struct SkipConfig {
>> pub skip_packages: Option<Vec<String>>,
>> }
>>
>> +#[api(
>> + properties: {
>> + "allow-sha1": {
>> + type: bool,
>> + default: false,
>> + optional: true,
>> + },
>> + "min-dsa-key-size": {
>> + type: u64,
>> + optional: true,
>
> could we encode minimum value and default of 2048 here? As the existance of the option
> indicates that there is some minimum, and not knowing what that is, could be IMO slightly
> confusing for users.
yes
> I don't found a quick/easy way to get the actual value from sequioa, but raising this limit
> is probably either a breaking change or will be highlighted in any release notes so we
> should be made aware for when to update it if we just hard-code it here.
we could also define our own policy (or overrides for stuff we want to accept
for the time being, irrespective of sequoias standard policy) if we want.
there is some work[0] for making the policies loadable from a file, but that
would then tie us rather directly to sequoia if we offer that via our config
(also, the format is rather involved and not very user friendly).
0: https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/
>> + },
>> + "min-rsa-key-size": {
>> + type: u64,
>> + optional: true,
>
> same here.
>
next prev parent reply other threads:[~2023-04-06 11:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-04 7:48 [pve-devel] [PATCH proxmox-offline-mirror 0/2] improve GPG verification Fabian Grünbichler
2023-04-04 7:48 ` [pve-devel] [PATCH proxmox-offline-mirror 1/2] improve GPG error messages Fabian Grünbichler
2023-04-04 7:48 ` [pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow escape hatches for legacy repositories Fabian Grünbichler
2023-04-06 11:23 ` Thomas Lamprecht
2023-04-06 11:57 ` Fabian Grünbichler [this message]
2023-04-06 11:22 ` [pve-devel] applied: [PATCH proxmox-offline-mirror 0/2] improve GPG verification Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1680782145.6chqtnpke4.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox