From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <t.lamprecht@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 3D039934B4
 for <pve-devel@lists.proxmox.com>; Thu,  6 Apr 2023 13:23:32 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 1FC7980F7
 for <pve-devel@lists.proxmox.com>; Thu,  6 Apr 2023 13:23:02 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Thu,  6 Apr 2023 13:23:01 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 49D7345EAC
 for <pve-devel@lists.proxmox.com>; Thu,  6 Apr 2023 13:23:01 +0200 (CEST)
Message-ID: <d18d36e3-5b22-0dd0-62cb-0be1f2094cb5@proxmox.com>
Date: Thu, 6 Apr 2023 13:23:00 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: de-AT, en-GB
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
References: <20230404074821.3765099-1-f.gruenbichler@proxmox.com>
 <20230404074821.3765099-3-f.gruenbichler@proxmox.com>
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Autocrypt: addr=t.lamprecht@proxmox.com; keydata=
 xsFNBFsLjcYBEACsaQP6uTtw/xHTUCKF4VD4/Wfg7gGn47+OfCKJQAD+Oyb3HSBkjclopC5J
 uXsB1vVOfqVYE6PO8FlD2L5nxgT3SWkc6Ka634G/yGDU3ZC3C/7NcDVKhSBI5E0ww4Qj8s9w
 OQRloemb5LOBkJNEUshkWRTHHOmk6QqFB/qBPW2COpAx6oyxVUvBCgm/1S0dAZ9gfkvpqFSD
 90B5j3bL6i9FIv3YGUCgz6Ue3f7u+HsEAew6TMtlt90XV3vT4M2IOuECG/pXwTy7NtmHaBQ7
 UJBcwSOpDEweNob50+9B4KbnVn1ydx+K6UnEcGDvUWBkREccvuExvupYYYQ5dIhRFf3fkS4+
 wMlyAFh8PQUgauod+vqs45FJaSgTqIALSBsEHKEs6IoTXtnnpbhu3p6XBin4hunwoBFiyYt6
 YHLAM1yLfCyX510DFzX/Ze2hLqatqzY5Wa7NIXqYYelz7tXiuCLHP84+sV6JtEkeSUCuOiUY
 virj6nT/nJK8m0BzdR6FgGtNxp7RVXFRz/+mwijJVLpFsyG1i0Hmv2zTn3h2nyGK/I6yhFNt
 dX69y5hbo6LAsRjLUvZeHXpTU4TrpN/WiCjJblbj5um5eEr4yhcwhVmG102puTtuCECsDucZ
 jpKpUqzXlpLbzG/dp9dXFH3MivvfuaHrg3MtjXY1i+/Oxyp5iwARAQABzTNUaG9tYXMgTGFt
 cHJlY2h0IChBdXRoLTQpIDx0LmxhbXByZWNodEBwcm94bW94LmNvbT7CwY4EEwEIADgWIQQO
 R4qbEl/pah9K6VrTZCM6gDZWBgUCWwuNxgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAK
 CRDTZCM6gDZWBm/jD/4+6JB2s67eaqoP6x9VGaXNGJPCscwzLuxDTCG90G9FYu29VcXtubH/
 bPwsyBbNUQpqTm/s4XboU2qpS5ykCuTjqavrcP33tdkYfGcItj2xMipJ1i3TWvpikQVsX42R
 G64wovLs/dvpTYphRZkg5DwhgTmy3mRkmofFCTa+//MOcNOORltemp984tWjpR3bUJETNWpF
 sKGZHa3N4kCNxb7A+VMsJZ/1gN3jbQbQG7GkJtnHlWkw9rKCYqBtWrnrHa4UAvSa9M/XCIAB
 FThFGqZI1ojdVlv5gd6b/nWxfOPrLlSxbUo5FZ1i/ycj7/24nznW1V4ykG9iUld4uYUY86bB
 UGSjew1KYp9FmvKiwEoB+zxNnuEQfS7/Bj1X9nxizgweiHIyFsRqgogTvLh403QMSGNSoArk
 tqkorf1U+VhEncIn4H3KksJF0njZKfilrieOO7Vuot1xKr9QnYrZzJ7m7ZxJ/JfKGaRHXkE1
 feMmrvZD1AtdUATZkoeQtTOpMu4r6IQRfSdwm/CkppZXfDe50DJxAMDWwfK2rr2bVkNg/yZI
 tKLBS0YgRTIynkvv0h8d9dIjiicw3RMeYXyqOnSWVva2r+tl+JBaenr8YTQw0zARrhC0mttu
 cIZGnVEvQuDwib57QLqMjQaC1gazKHvhA15H5MNxUhwm229UmdH3KM7BTQRbC43GARAAyTkR
 D6KRJ9Xa2fVMh+6f186q0M3ni+5tsaVhUiykxjsPgkuWXWW9MbLpYXkzX6h/RIEKlo2BGA95
 QwG5+Ya2Bo3g7FGJHAkXY6loq7DgMp5/TVQ8phsSv3WxPTJLCBq6vNBamp5hda4cfXFUymsy
 HsJy4dtgkrPQ/bnsdFDCRUuhJHopnAzKHN8APXpKU6xV5e3GE4LwFsDhNHfH/m9+2yO/trcD
 txSFpyftbK2gaMERHgA8SKkzRhiwRTt9w5idOfpJVkYRsgvuSGZ0pcD4kLCOIFrer5xXudk6
 NgJc36XkFRMnwqrL/bB4k6Pi2u5leyqcXSLyBgeHsZJxg6Lcr2LZ35+8RQGPOw9C0ItmRjtY
 ZpGKPlSxjxA1WHT2YlF9CEt3nx7c4C3thHHtqBra6BGPyW8rvtq4zRqZRLPmZ0kt/kiMPhTM
 8wZAlObbATVrUMcZ/uNjRv2vU9O5aTAD9E5r1B0dlqKgxyoImUWB0JgpILADaT3VybDd3C8X
 s6Jt8MytUP+1cEWt9VKo4vY4Jh5vwrJUDLJvzpN+TsYCZPNVj18+jf9uGRaoK6W++DdMAr5l
 gQiwsNgf9372dbMI7pt2gnT5/YdG+ZHnIIlXC6OUonA1Ro/Itg90Q7iQySnKKkqqnWVc+qO9
 GJbzcGykxD6EQtCSlurt3/5IXTA7t6sAEQEAAcLBdgQYAQgAIBYhBA5HipsSX+lqH0rpWtNk
 IzqANlYGBQJbC43GAhsMAAoJENNkIzqANlYGD1sP/ikKgHgcspEKqDED9gQrTBvipH85si0j
 /Jwu/tBtnYjLgKLh2cjv1JkgYYjb3DyZa1pLsIv6rGnPX9bH9IN03nqirC/Q1Y1lnbNTynPk
 IflgvsJjoTNZjgu1wUdQlBgL/JhUp1sIYID11jZphgzfDgp/E6ve/8xE2HMAnf4zAfJaKgD0
 F+fL1DlcdYUditAiYEuN40Ns/abKs8I1MYx7Yglu3RzJfBzV4t86DAR+OvuF9v188WrFwXCS
 RSf4DmJ8tntyNej+DVGUnmKHupLQJO7uqCKB/1HLlMKc5G3GLoGqJliHjUHUAXNzinlpE2Vj
 C78pxpwxRNg2ilE3AhPoAXrY5qED5PLE9sLnmQ9AzRcMMJUXjTNEDxEYbF55SdGBHHOAcZtA
 kEQKub86e+GHA+Z8oXQSGeSGOkqHi7zfgW1UexddTvaRwE6AyZ6FxTApm8wq8NT2cryWPWTF
 BDSGB3ujWHMM8ERRYJPcBSjTvt0GcEqnd+OSGgxTkGOdufn51oz82zfpVo1t+J/FNz6MRMcg
 8nEC+uKvgzH1nujxJ5pRCBOquFZaGn/p71Yr0oVitkttLKblFsqwa+10Lt6HBxm+2+VLp4Ja
 0WZNncZciz3V3cuArpan/ZhhyiWYV5FD0pOXPCJIx7WS9PTtxiv0AOS4ScWEUmBxyhFeOpYa DrEx
In-Reply-To: <20230404074821.3765099-3-f.gruenbichler@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.094 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow
 escape hatches for legacy repositories
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2023 11:23:32 -0000

Am 04/04/2023 um 09:48 schrieb Fabian Gr=C3=BCnbichler:
> there are still repositories out there that are using things like DSA/R=
SA-1024
> and SHA1, so let's allow POM users to opt into accepting those insecure=

> cryptographic parameters, but keep the default settings secure.
>=20
> Signed-off-by: Fabian Gr=C3=BCnbichler <f.gruenbichler@proxmox.com>
> ---
>  src/bin/proxmox-offline-mirror.rs             |  2 +
>  src/bin/proxmox_offline_mirror_cmds/config.rs |  4 ++
>  src/config.rs                                 | 42 ++++++++++++++++++-=

>  src/helpers/verifier.rs                       | 20 ++++++++-
>  src/mirror.rs                                 | 17 +++++++-
>  5 files changed, 81 insertions(+), 4 deletions(-)
>=20
> diff --git a/src/bin/proxmox-offline-mirror.rs b/src/bin/proxmox-offlin=
e-mirror.rs
> index 3af33bb..bec366a 100644
> --- a/src/bin/proxmox-offline-mirror.rs
> +++ b/src/bin/proxmox-offline-mirror.rs
> @@ -423,6 +423,7 @@ fn action_add_mirror(config: &SectionConfigData) ->=
 Result<Vec<MirrorConfig>, Er
>                  use_subscription: None,
>                  ignore_errors: false,
>                  skip,
> +                weak_crypto: None,
>              });
>          }
>      }
> @@ -438,6 +439,7 @@ fn action_add_mirror(config: &SectionConfigData) ->=
 Result<Vec<MirrorConfig>, Er
>          use_subscription,
>          ignore_errors: false,
>          skip,
> +        weak_crypto: None,
>      };
> =20
>      configs.push(main_config);
> diff --git a/src/bin/proxmox_offline_mirror_cmds/config.rs b/src/bin/pr=
oxmox_offline_mirror_cmds/config.rs
> index 3ebf4ad..696da11 100644
> --- a/src/bin/proxmox_offline_mirror_cmds/config.rs
> +++ b/src/bin/proxmox_offline_mirror_cmds/config.rs
> @@ -274,6 +274,10 @@ pub fn update_mirror(
>          data.skip.skip_sections =3D Some(skip_sections);
>      }
> =20
> +    if let Some(weak_crypto) =3D update.weak_crypto {
> +        data.weak_crypto =3D Some(weak_crypto);
> +    }
> +
>      config.set_data(&id, "mirror", &data)?;
>      proxmox_offline_mirror::config::save_config(&config_file, &config)=
?;
> =20
> diff --git a/src/config.rs b/src/config.rs
> index 39b1193..0e19c77 100644
> --- a/src/config.rs
> +++ b/src/config.rs
> @@ -5,7 +5,7 @@ use lazy_static::lazy_static;
>  use proxmox_subscription::{sign::ServerBlob, SubscriptionInfo};
>  use serde::{Deserialize, Serialize};
> =20
> -use proxmox_schema::{api, ApiType, Schema, Updater};
> +use proxmox_schema::{api, ApiStringFormat, ApiType, Schema, Updater};
>  use proxmox_section_config::{SectionConfig, SectionConfigData, Section=
ConfigPlugin};
>  use proxmox_sys::fs::{replace_file, CreateOptions};
> =20
> @@ -46,6 +46,38 @@ pub struct SkipConfig {
>      pub skip_packages: Option<Vec<String>>,
>  }
> =20
> +#[api(
> +    properties: {
> +        "allow-sha1": {
> +            type: bool,
> +            default: false,
> +            optional: true,
> +        },
> +        "min-dsa-key-size": {
> +            type: u64,
> +            optional: true,

could we encode minimum value and default of 2048 here? As the existance =
of the option
indicates that there is some minimum, and not knowing what that is, could=
 be IMO slightly
confusing for users.

I don't found a quick/easy way to get the actual value from sequioa, but =
raising this limit
is probably either a breaking change or will be highlighted in any releas=
e notes so we
should be made aware for when to update it if we just hard-code it here.

> +        },
> +        "min-rsa-key-size": {
> +            type: u64,
> +            optional: true,

same here.