From Fedora Project Wiki
Line 154: Line 154:


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism: moving this change to Fedora 36, if not successfully finished until Fedora 35 branching from Rawhide
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: Fedora 35 branching from Rawhide (2021-08-10)
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? No
 


== Documentation ==
== Documentation ==

Revision as of 08:24, 9 July 2021


Sqlite SHA-1

Summary

Removal of deprecated crypto algorithm SHA-1 from sqlite.

Owner


Current status

  • Targeted release: Fedora 35
  • Last updated: 2021-07-09
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The use of SHA-1 is no longer permitted for Digital Signatures or authentication in RHEL-9. Due to this reason, there is a need to remove SHA-1 extension from sqlite in RHEL-9 and therefore also Fedora. The removal of the extension was discussed with sqlite upstream development, who confirmed, that it is safe to remove it and should not impact other functionality of sqlite.

Feedback

Benefit to Fedora

This change brings update in terms of removing usage of deprecated crypto algorithms as users should not use them. Also it keeps Fedora project up-to-date with the newest RHEL release, what is beneficial for future releases.

Scope

  • Proposal owners:
    • Prepare patch for removing SHA-1 algorithm from sqlite
    • Discuss the possible issues with upstream
    • Push the changes to Fedora
  • Other developers:
    • Do not use SHA-1 algorithm in sqlite
  • Policies and guidelines: N/A (not needed for this Change)
    • No guidelines need to be updated according to this change
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

SHA-1 algorithm will not be supported in sqlite. Instead SHA-3 algorithm can be used.

How To Test

No special testing is required for this change.

User Experience

Users won't be able to use SHA-1 algorithm with sqlite. Instead, they can use SHA-3 algorithm, or any other supported algorithm.

Dependencies

Contingency Plan

  • Contingency mechanism: moving this change to Fedora 36, if not successfully finished until Fedora 35 branching from Rawhide
  • Contingency deadline: Fedora 35 branching from Rawhide (2021-08-10)
  • Blocks release? No

Documentation

N/A (not a System Wide Change)

Release Notes