[Rpm-maint] [rpm-software-management/rpm] Phasing out obsolete crypto in rpm (#1292)

Demi Marie Obenour notifications at github.com
Fri Dec 25 03:18:58 UTC 2020


> Besides the currently obsolete things, new things need to be built with the mindset that all crypto _will_ become obsolete over time, and avoid putting it into new places where it only gets in our way eventually.

I suggest avoiding algorithm agility as much as possible.  It is great in theory, but in practice, it leads to a bunch of extra complexity, which in turn causes exploitable vulnerabilities.  The current header parsing code is already *far* too complex.

Instead, choose *one* ― and only one ― set of algorithms.  Drop support for all the others.  And change the file version number when an algorithm change is needed.  That’s what signify, age, WireGuard, and most other new cryptographic protocols do.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1292#issuecomment-751158345
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20201224/a3e8217c/attachment-0001.html>


More information about the Rpm-maint mailing list