Re: [pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow escape hatches for legacy repositories

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>,
	"Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Subject: Re: [pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow escape hatches for legacy repositories
Date: Thu, 6 Apr 2023 13:23:00 +0200	[thread overview]
Message-ID: <d18d36e3-5b22-0dd0-62cb-0be1f2094cb5@proxmox.com> (raw)
In-Reply-To: <20230404074821.3765099-3-f.gruenbichler@proxmox.com>

Am 04/04/2023 um 09:48 schrieb Fabian Grünbichler:
> there are still repositories out there that are using things like DSA/RSA-1024
> and SHA1, so let's allow POM users to opt into accepting those insecure
> cryptographic parameters, but keep the default settings secure.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
>  src/bin/proxmox-offline-mirror.rs             |  2 +
>  src/bin/proxmox_offline_mirror_cmds/config.rs |  4 ++
>  src/config.rs                                 | 42 ++++++++++++++++++-
>  src/helpers/verifier.rs                       | 20 ++++++++-
>  src/mirror.rs                                 | 17 +++++++-
>  5 files changed, 81 insertions(+), 4 deletions(-)
> 
> diff --git a/src/bin/proxmox-offline-mirror.rs b/src/bin/proxmox-offline-mirror.rs
> index 3af33bb..bec366a 100644
> --- a/src/bin/proxmox-offline-mirror.rs
> +++ b/src/bin/proxmox-offline-mirror.rs
> @@ -423,6 +423,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
>                  use_subscription: None,
>                  ignore_errors: false,
>                  skip,
> +                weak_crypto: None,
>              });
>          }
>      }
> @@ -438,6 +439,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
>          use_subscription,
>          ignore_errors: false,
>          skip,
> +        weak_crypto: None,
>      };
>  
>      configs.push(main_config);
> diff --git a/src/bin/proxmox_offline_mirror_cmds/config.rs b/src/bin/proxmox_offline_mirror_cmds/config.rs
> index 3ebf4ad..696da11 100644
> --- a/src/bin/proxmox_offline_mirror_cmds/config.rs
> +++ b/src/bin/proxmox_offline_mirror_cmds/config.rs
> @@ -274,6 +274,10 @@ pub fn update_mirror(
>          data.skip.skip_sections = Some(skip_sections);
>      }
>  
> +    if let Some(weak_crypto) = update.weak_crypto {
> +        data.weak_crypto = Some(weak_crypto);
> +    }
> +
>      config.set_data(&id, "mirror", &data)?;
>      proxmox_offline_mirror::config::save_config(&config_file, &config)?;
>  
> diff --git a/src/config.rs b/src/config.rs
> index 39b1193..0e19c77 100644
> --- a/src/config.rs
> +++ b/src/config.rs
> @@ -5,7 +5,7 @@ use lazy_static::lazy_static;
>  use proxmox_subscription::{sign::ServerBlob, SubscriptionInfo};
>  use serde::{Deserialize, Serialize};
>  
> -use proxmox_schema::{api, ApiType, Schema, Updater};
> +use proxmox_schema::{api, ApiStringFormat, ApiType, Schema, Updater};
>  use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
>  use proxmox_sys::fs::{replace_file, CreateOptions};
>  
> @@ -46,6 +46,38 @@ pub struct SkipConfig {
>      pub skip_packages: Option<Vec<String>>,
>  }
>  
> +#[api(
> +    properties: {
> +        "allow-sha1": {
> +            type: bool,
> +            default: false,
> +            optional: true,
> +        },
> +        "min-dsa-key-size": {
> +            type: u64,
> +            optional: true,

could we encode minimum value and default of 2048 here? As the existance of the option
indicates that there is some minimum, and not knowing what that is, could be IMO slightly
confusing for users.

I don't found a quick/easy way to get the actual value from sequioa, but raising this limit
is probably either a breaking change or will be highlighted in any release notes so we
should be made aware for when to update it if we just hard-code it here.

> +        },
> +        "min-rsa-key-size": {
> +            type: u64,
> +            optional: true,

same here.

next prev parent reply	other threads:[~2023-04-06 11:23 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-04  7:48 [pve-devel] [PATCH proxmox-offline-mirror 0/2] improve GPG verification Fabian Grünbichler
2023-04-04  7:48 ` [pve-devel] [PATCH proxmox-offline-mirror 1/2] improve GPG error messages Fabian Grünbichler
2023-04-04  7:48 ` [pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow escape hatches for legacy repositories Fabian Grünbichler
2023-04-06 11:23   ` Thomas Lamprecht [this message]
2023-04-06 11:57     ` Fabian Grünbichler
2023-04-06 11:22 ` [pve-devel] applied: [PATCH proxmox-offline-mirror 0/2] improve GPG verification Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d18d36e3-5b22-0dd0-62cb-0be1f2094cb5@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=f.gruenbichler@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal