On 09.08.19 14:06, Stephen John Smoogen wrote:
One of many arguments is that whatever protocol set used to sign artifacts has to be audited by various outside agencies in Europe/US/etc to be used on their systems. That costs time and money to do. Certain tools are already audited like openssl so using them is easier to get added to an ongoing certification than something which is not audited like libsodium. If it hasn't been part of an ongoing certification, libsodium would need to be started from the ground up and probably take 2-3 years. Until it is done, there would be considerable 'push-back' from various consumers of Fedora from just French government agencies of using it as part of something they would allow for usage. That has a pile-on effect as industries wanting to work with said agencies can't use the OS in certain places, which boils out as a 4-5 year time where the signing is in limbo.
This is the part that Petr is not diplomatically covering in that the protocol for signing needs to be past and future reliable. The tool writer needs to know that it is a long haul of working with existing crap for a long time until it can hopefully be removed in 5-10 years when whatever audits and certs are done.
Thanks for the explanation! That's unfortunate! :(
However, this only impacts RHEL/CentOS as libsodium is already packaged in Fedora and EPEL, so no problem there using Minisign for verifying file signatures using it I guess?
Replacing PGP with Minisign for RPM package signatures requires a bit more time then :-)
Cheers, François