2024-06-25 17:01:13 <@zbyszek:fedora.im> !startmeeting

2024-06-25 17:01:13 <@meetbot:fedora.im> Meeting started at 2024-06-25 17:01:13 UTC
2024-06-25 17:01:14 <@meetbot:fedora.im> The Meeting name is 'Fedora Meeting'
2024-06-25 17:01:17 <@zbyszek:fedora.im> !meetingname fesco
2024-06-25 17:01:18 <@meetbot:fedora.im> The Meeting Name is now fesco
2024-06-25 17:01:26 <@zbyszek:fedora.im> Chairs: @conan_kudo:matrix.org, @ngompa:fedora.im, @nirik:matrix.scrye.com, @humaton:fedora.im, @zbyszek:fedora.im, @sgallagh:fedora.im, @jistone:fedora.im, @dcantrell:fedora.im, @decathorpe:fedora.im, @salimma:fedora.im
2024-06-25 17:01:33 <@humaton:fedora.im> !hi 
2024-06-25 17:01:33 <@zbyszek:fedora.im> !topic Init Process
2024-06-25 17:01:34 <@zodbot:fedora.im> Tomáš Hrčka (humaton) - he / him / his
2024-06-25 17:01:35 <@zbyszek:fedora.im> !hi
2024-06-25 17:01:36 <@zodbot:fedora.im> Zbigniew Jędrzejewski-Szmek (zbyszek)
2024-06-25 17:01:36 <@jistone:fedora.im> !hi
2024-06-25 17:01:38 <@zodbot:fedora.im> Josh Stone (jistone) - he / him / his
2024-06-25 17:01:43 <@nirik:matrix.scrye.com> morning
2024-06-25 17:01:52 <@decathorpe:fedora.im> !hi
2024-06-25 17:01:53 <@zodbot:fedora.im> Fabio Valentini (decathorpe) - he / him / his
2024-06-25 17:02:16 <@sgallagh:fedora.im> !hi
2024-06-25 17:02:17 <@zodbot:fedora.im> Stephen Gallagher (sgallagh) - he / him / his
2024-06-25 17:02:52 <@salimma:fedora.im> !hi
2024-06-25 17:02:53 <@zodbot:fedora.im> Michel Lind (salimma) - he / him / his
2024-06-25 17:03:23 <@zbyszek:fedora.im> Let's wait a sec more for Neal, since he voted negatively in the ticket.
2024-06-25 17:03:31 <@dcantrell:fedora.im> !hi
2024-06-25 17:03:33 <@zodbot:fedora.im> David Cantrell (dcantrell) - he / him / his
2024-06-25 17:03:45 <@zbyszek:fedora.im> What are some dns domains that use sha-1? I need an example for testing…
2024-06-25 17:04:12 <@salimma:fedora.im> summoning Conan Kudo 
2024-06-25 17:04:18 <@dbelyavs:fedora.im> ask Petr Mensik. 
2024-06-25 17:04:31 <@dbelyavs:fedora.im> Unfortunately people still follow bad practice
2024-06-25 17:04:39 <@dbelyavs:fedora.im> Probably .vn
2024-06-25 17:04:43 <@simo:fedora.im> is this the right topic ?
2024-06-25 17:04:57 <@sgallagh:fedora.im> The topic hasn't formally begun yet
2024-06-25 17:05:18 <@simo:fedora.im> * Meet Bot The Meeting Topic is now Init Process <- above
2024-06-25 17:05:24 <@dbelyavs:fedora.im> zbyszek: https://mailarchive.ietf.org/arch/msg/dnsop/HFg5PHXmCJ7Psz2jWmjyVRJmEWI/
2024-06-25 17:06:11 <@zbyszek:fedora.im> !topic #3229 Change: Make OpenSSL distrust SHA-1 signatures by default
2024-06-25 17:06:18 <@zbyszek:fedora.im> !info ttps://mailarchive.ietf.org/arch/msg/dnsop/HFg5PHXmCJ7Psz2jWmjyVRJmEWI/
2024-06-25 17:06:32 <@zbyszek:fedora.im> !info https://mailarchive.ietf.org/arch/msg/dnsop/HFg5PHXmCJ7Psz2jWmjyVRJmEWI/
2024-06-25 17:07:16 <@decathorpe:fedora.im> lol @ Apple
2024-06-25 17:07:37 <@zbyszek:fedora.im> I didn't do my homework for this one…
2024-06-25 17:07:42 <@nirik:matrix.scrye.com> FWIW, I am +1 to this change...
2024-06-25 17:08:12 <@sgallagh:fedora.im> So, just catch me up: is the ONLY reason we're considering not disabling SHA-1 because of these few DNSSEC domains?
2024-06-25 17:08:30 <@simo:fedora.im> yes
2024-06-25 17:08:36 <@simo:fedora.im> and it is not a good reason
2024-06-25 17:08:47 <@jistone:fedora.im> can you add an info for the Change issue?
2024-06-25 17:08:55 <@sgallagh:fedora.im> simo: I tend to agree. I just want to make sure there aren't other reasons I missed in the discussion somewhere
2024-06-25 17:09:09 <@nirik:matrix.scrye.com> !fesco 3229
2024-06-25 17:09:10 <@zodbot:fedora.im> ● **Assignee:** asosedkin
2024-06-25 17:09:10 <@zodbot:fedora.im> ● **Last Updated:** 16 minutes ago
2024-06-25 17:09:10 <@zodbot:fedora.im> ● **Opened:** 4 days ago by amoloney
2024-06-25 17:09:10 <@zodbot:fedora.im> 
2024-06-25 17:09:10 <@zodbot:fedora.im> **fesco #3229** (https://pagure.io/fesco/issue/3229):**Change: Make OpenSSL distrust SHA-1 signatures by default**
2024-06-25 17:09:13 <@simo:fedora.im> besides dns tools could technically re-enable sha-1 on their own, if *really* needed
2024-06-25 17:09:19 <@zodbot:fedora.im> jistone gave a cookie to kevin. They now have 680 cookies, 21 of which were obtained in the Fedora 40 release cycle
2024-06-25 17:09:26 <@decathorpe:fedora.im> at this point I think no other important SHA1 users are left ... even the Google chrome RPM is now signed with non-sha1 too :O 
2024-06-25 17:09:47 <@salimma:fedora.im> there's an unanswered question of when runcp will be packaged - it's now in COPR
2024-06-25 17:10:05 <@zbyszek:fedora.im> Does anyone know what runcp does under the hood?
2024-06-25 17:10:16 <@simo:fedora.im> we really MUST stop accepting signatures that use SHA-1 it is a liability, it takes not too much money to break them now, certainly nations tate actors can, but also some rich crooks
2024-06-25 17:10:19 <@salimma:fedora.im> the change owners should know, right?
2024-06-25 17:10:26 <@nirik:matrix.scrye.com> ? a z80 simulator?
2024-06-25 17:11:05 <@jistone:fedora.im> that's runcpm
2024-06-25 17:11:12 <@simo:fedora.im> I do not think runcp is a required dependency for this change, it is only a nice to have
2024-06-25 17:11:25 <@dbelyavs:fedora.im> I think it provides an alternate OpenSSL configuration for this and only this run of a particular application
2024-06-25 17:11:29 <@simo:fedora.im> runCP/M you mean?
2024-06-25 17:11:41 <@salimma:fedora.im> nirik: it's mentioned in the change proposal - you can use it to run a single process under a different crypto policy 
2024-06-25 17:12:01 <@sgallagh:fedora.im> Proposal: Accept the Change and disallow SHA-1 by default. Mitigations exist for individual applications to re-enable it if absolutely necessary.
2024-06-25 17:12:12 <@zbyszek:fedora.im> Yeah, but the problem in the past was that openssl wouldn't allow per-application configuration. So runcp provides that, but it sounds like it does in some strange fashion.
2024-06-25 17:12:37 <@nirik:matrix.scrye.com> ah, I remember now... right
2024-06-25 17:12:42 <@dbelyavs:fedora.im> It does. OPENSSL_CONF env variable still works :)
2024-06-25 17:12:57 <@simo:fedora.im> zbyszek: it absically created an overlay container that changes cryptopolicies only for that app, and leaves all other namespaces sane
2024-06-25 17:13:01 <@nirik:matrix.scrye.com> Stephen Gallagher +1
2024-06-25 17:13:06 <@jistone:fedora.im> +1
2024-06-25 17:13:14 <@zbyszek:fedora.im> Oh, bleh.
2024-06-25 17:13:19 <@salimma:fedora.im> all recent builds of runcp have failed which is... not reassuring - https://copr.fedorainfracloud.org/coprs/asosedkin/crypto-policies-extras/package/crypto-policies-extras/
2024-06-25 17:13:40 <@hkario:fedora.im> I fail to see how that's relevant: we're fine with exposing _all_ fedora users to SHA-1 attacks only because the few that need it can't be bothered to switch to LEGACY policy or would like ability to run one or two applications with specific policy??
2024-06-25 17:13:57 <@decathorpe:fedora.im> Stephen Gallagher: +1
2024-06-25 17:14:03 <@simo:fedora.im> Michel Lind 🎩: as mentioned above it is only a nice-ti-have not a hard require
2024-06-25 17:14:08 <@zbyszek:fedora.im> Stephen Gallagher: +1
2024-06-25 17:14:45 <@hkario:fedora.im> also latest build of it failed only on one arch: ppc64le
2024-06-25 17:14:48 <@salimma:fedora.im> fair. on further consideration given the small impact I think it's fine to change the default. but... just pointing out runcp as is _does not actually work_ even with the COPR
2024-06-25 17:14:57 <@salimma:fedora.im> ah... only ppc. fun
2024-06-25 17:15:02 <@sgallagh:fedora.im> I'm perfectly happy with disabling access to systems/software that are unwilling to follow good security practices.
2024-06-25 17:15:51 <@salimma:fedora.im> oh it only fails for ppc64le only for c10s. I don't think we need to worry about that
2024-06-25 17:16:35 <@zbyszek:fedora.im> Tally so far: Neal -1, Stephen,Fabio,me,Kevin +1
2024-06-25 17:16:45 <@zbyszek:fedora.im> Josh +1
2024-06-25 17:16:49 <@salimma:fedora.im> +1 from me
2024-06-25 17:16:50 <@dcantrell:fedora.im> +1
2024-06-25 17:17:16 <@salimma:fedora.im> knowing runcp uses an overlay container, I think I'm fine keeping it in COPR :P
2024-06-25 17:17:39 <@zbyszek:fedora.im> Element puts so much vertical whitespace that doing a tally requires scrolling up two screens.
2024-06-25 17:17:54 <@salimma:fedora.im> switch it to IRC mode :)
2024-06-25 17:18:04 <@simo:fedora.im> (use the IRC like appearance and smaller font :p)
2024-06-25 17:18:15 <@nirik:matrix.scrye.com> nehko does a bit better
2024-06-25 17:18:47 <@nirik:matrix.scrye.com> fractal does a lot worse. ;)
2024-06-25 17:18:49 <@zbyszek:fedora.im> !agreed APPROVED:  Accept the Change and disallow SHA-1 by default. Mitigations exist for individual applications to re-enable it if absolutely necessary (+7, 0, -1)
2024-06-25 17:19:26 <@zbyszek:fedora.im> !fesco 3229
2024-06-25 17:19:27 <@zodbot:fedora.im> 
2024-06-25 17:19:27 <@zodbot:fedora.im> **fesco #3229** (https://pagure.io/fesco/issue/3229):**Change: Make OpenSSL distrust SHA-1 signatures by default**
2024-06-25 17:19:27 <@zodbot:fedora.im> ● **Opened:** 4 days ago by amoloney
2024-06-25 17:19:27 <@zodbot:fedora.im> ● **Last Updated:** 26 minutes ago
2024-06-25 17:19:27 <@zodbot:fedora.im> ● **Assignee:** asosedkin
2024-06-25 17:19:31 <@zbyszek:fedora.im> I forgot that line.
2024-06-25 17:19:37 <@zbyszek:fedora.im> !topic Next week's chair
2024-06-25 17:19:50 <@dbelyavs:fedora.im> Thank you!
2024-06-25 17:19:51 <@sgallagh:fedora.im> I will be away next week and cannot attend
2024-06-25 17:20:00 <@simo:fedora.im> 🎆🍾🍾🍾
2024-06-25 17:20:01 <@jistone:fedora.im> I'll also be away
2024-06-25 17:20:10 <@dcantrell:fedora.im> and I will be away
2024-06-25 17:20:25 <@zbyszek:fedora.im> Dmitry Belyavskiy++ thank you for joining
2024-06-25 17:20:26 <@zodbot:fedora.im> zbyszek gave a cookie to dbelyavs. They now have 3 cookies, 1 of which were obtained in the Fedora 40 release cycle
2024-06-25 17:20:35 <@sgallagh:fedora.im> Next week is a US holiday, so it may be low attendance all-around
2024-06-25 17:20:39 <@nirik:matrix.scrye.com> probibly me too.
2024-06-25 17:20:52 <@simo:fedora.im> I failed at matrixing :-)
2024-06-25 17:20:55 <@sgallagh:fedora.im> Rather, next week *includes* a US holiday. Not Tuesday specifically
2024-06-25 17:21:03 <@zbyszek:fedora.im> OK, that's four down, so let's drop the next meeting.
2024-06-25 17:21:12 <@zbyszek:fedora.im> !info The next meeting will be in two weeks.
2024-06-25 17:21:28 <@zbyszek:fedora.im> So any volunteers for two weeks from now? :---]
2024-06-25 17:21:38 <@jistone:fedora.im> I can chair on the 9th
2024-06-25 17:21:43 <@simo:fedora.im> whatever this chat thing is called
2024-06-25 17:21:43 <@simo:fedora.im> or elementing?
2024-06-25 17:21:59 <@zbyszek:fedora.im> !action Josh Stone will chair the meeting in two weeks
2024-06-25 17:22:06 <@zbyszek:fedora.im> !topic Open Floor
2024-06-25 17:23:00 <@zbyszek:fedora.im> Nothing is on fire?
2024-06-25 17:23:06 <@zbyszek:fedora.im> No urgent complaints?
2024-06-25 17:23:21 <@sgallagh:fedora.im> Amazingly, we came to a good choice on the new time
2024-06-25 17:23:39 <@decathorpe:fedora.im> zbyszek don't jinx it
2024-06-25 17:23:41 <@zbyszek:fedora.im> Yeah, having a meeting while the sun is still out is so refreshing.
2024-06-25 17:24:02 <@nirik:matrix.scrye.com> just wait tho...
2024-06-25 17:24:07 <@decathorpe:fedora.im> isn't this the old old meeting time from like 3 years ago?
2024-06-25 17:24:41 <@salimma:fedora.im> it's lunchtime for me but having taken this meeting from Central Europe, the old meeting time is hell so... I'm happy to take lunch slightly late
2024-06-25 17:24:55 <@zbyszek:fedora.im> OK, so let's wrap this up.
2024-06-25 17:25:04 <@zbyszek:fedora.im> Thank y'all for coming.
2024-06-25 17:25:06 <@zbyszek:fedora.im> !endmeeting