From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 1B28E934FF
 for <pve-devel@lists.proxmox.com>; Thu,  6 Apr 2023 13:58:32 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id E8D0688C1
 for <pve-devel@lists.proxmox.com>; Thu,  6 Apr 2023 13:58:01 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Thu,  6 Apr 2023 13:58:01 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D74BF45EBB
 for <pve-devel@lists.proxmox.com>; Thu,  6 Apr 2023 13:58:00 +0200 (CEST)
Date: Thu, 06 Apr 2023 13:57:53 +0200
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Thomas Lamprecht <t.lamprecht@proxmox.com>
References: <20230404074821.3765099-1-f.gruenbichler@proxmox.com>
 <20230404074821.3765099-3-f.gruenbichler@proxmox.com>
 <d18d36e3-5b22-0dd0-62cb-0be1f2094cb5@proxmox.com>
In-Reply-To: <d18d36e3-5b22-0dd0-62cb-0be1f2094cb5@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1680782145.6chqtnpke4.astroid@yuna.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.071 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [mirror.rs, config.rs, docs.rs, verifier.rs,
 proxmox-offline-mirror.rs]
Subject: Re: [pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow
 escape hatches for legacy repositories
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2023 11:58:32 -0000

On April 6, 2023 1:23 pm, Thomas Lamprecht wrote:
> Am 04/04/2023 um 09:48 schrieb Fabian Gr=C3=BCnbichler:
>> there are still repositories out there that are using things like DSA/RS=
A-1024
>> and SHA1, so let's allow POM users to opt into accepting those insecure
>> cryptographic parameters, but keep the default settings secure.
>>=20
>> Signed-off-by: Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>
>> ---
>>  src/bin/proxmox-offline-mirror.rs             |  2 +
>>  src/bin/proxmox_offline_mirror_cmds/config.rs |  4 ++
>>  src/config.rs                                 | 42 ++++++++++++++++++-
>>  src/helpers/verifier.rs                       | 20 ++++++++-
>>  src/mirror.rs                                 | 17 +++++++-
>>  5 files changed, 81 insertions(+), 4 deletions(-)
>>=20
>> diff --git a/src/bin/proxmox-offline-mirror.rs b/src/bin/proxmox-offline=
-mirror.rs
>> index 3af33bb..bec366a 100644
>> --- a/src/bin/proxmox-offline-mirror.rs
>> +++ b/src/bin/proxmox-offline-mirror.rs
>> @@ -423,6 +423,7 @@ fn action_add_mirror(config: &SectionConfigData) -> =
Result<Vec<MirrorConfig>, Er
>>                  use_subscription: None,
>>                  ignore_errors: false,
>>                  skip,
>> +                weak_crypto: None,
>>              });
>>          }
>>      }
>> @@ -438,6 +439,7 @@ fn action_add_mirror(config: &SectionConfigData) -> =
Result<Vec<MirrorConfig>, Er
>>          use_subscription,
>>          ignore_errors: false,
>>          skip,
>> +        weak_crypto: None,
>>      };
>> =20
>>      configs.push(main_config);
>> diff --git a/src/bin/proxmox_offline_mirror_cmds/config.rs b/src/bin/pro=
xmox_offline_mirror_cmds/config.rs
>> index 3ebf4ad..696da11 100644
>> --- a/src/bin/proxmox_offline_mirror_cmds/config.rs
>> +++ b/src/bin/proxmox_offline_mirror_cmds/config.rs
>> @@ -274,6 +274,10 @@ pub fn update_mirror(
>>          data.skip.skip_sections =3D Some(skip_sections);
>>      }
>> =20
>> +    if let Some(weak_crypto) =3D update.weak_crypto {
>> +        data.weak_crypto =3D Some(weak_crypto);
>> +    }
>> +
>>      config.set_data(&id, "mirror", &data)?;
>>      proxmox_offline_mirror::config::save_config(&config_file, &config)?=
;
>> =20
>> diff --git a/src/config.rs b/src/config.rs
>> index 39b1193..0e19c77 100644
>> --- a/src/config.rs
>> +++ b/src/config.rs
>> @@ -5,7 +5,7 @@ use lazy_static::lazy_static;
>>  use proxmox_subscription::{sign::ServerBlob, SubscriptionInfo};
>>  use serde::{Deserialize, Serialize};
>> =20
>> -use proxmox_schema::{api, ApiType, Schema, Updater};
>> +use proxmox_schema::{api, ApiStringFormat, ApiType, Schema, Updater};
>>  use proxmox_section_config::{SectionConfig, SectionConfigData, SectionC=
onfigPlugin};
>>  use proxmox_sys::fs::{replace_file, CreateOptions};
>> =20
>> @@ -46,6 +46,38 @@ pub struct SkipConfig {
>>      pub skip_packages: Option<Vec<String>>,
>>  }
>> =20
>> +#[api(
>> +    properties: {
>> +        "allow-sha1": {
>> +            type: bool,
>> +            default: false,
>> +            optional: true,
>> +        },
>> +        "min-dsa-key-size": {
>> +            type: u64,
>> +            optional: true,
>=20
> could we encode minimum value and default of 2048 here? As the existance =
of the option
> indicates that there is some minimum, and not knowing what that is, could=
 be IMO slightly
> confusing for users.

yes

> I don't found a quick/easy way to get the actual value from sequioa, but =
raising this limit
> is probably either a breaking change or will be highlighted in any releas=
e notes so we
> should be made aware for when to update it if we just hard-code it here.

we could also define our own policy (or overrides for stuff we want to acce=
pt
for the time being, irrespective of sequoias standard policy) if we want.

there is some work[0] for making the policies loadable from a file, but tha=
t
would then tie us rather directly to sequoia if we offer that via our confi=
g
(also, the format is rather involved and not very user friendly).

0: https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/

>> +        },
>> +        "min-rsa-key-size": {
>> +            type: u64,
>> +            optional: true,
>=20
> same here.
>=20