From Fedora Project Wiki

Revision as of 14:47, 1 September 2022 by Asosedkin (talk | contribs) (Initial draft)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


StrongCryptoSettings3 Test Day

Date 2022-09-05
Time 9:00 - 20:00 CEST

Website QA/Test Days
IRC #fedora-test-day (webirc)
Mailing list test


Can't make the date?
If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at Bugzilla, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?

This Test Day will focus on the upcoming (in F38-F39) tightening of crypto-policies: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3

Who's available

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:

You can chat with us on IRC. See the infobox on top of the page to learn the right IRC channel.

Prerequisite for Test Day

  • Your existing, daily driver Fedora 36+ setup.

This one would be slightly unconventional because the change is testable from the existing Fedora 36+ setups and I aim to identify as many workflows it could break as possible, meaning that I'd very much like the users to experiment by trying it on their existing cozy diverse setups riddled with esoteric workflows and not on pristine clean fresh installs.

How to test?

Broadly speaking, I have three testing strategies to offer:

1. update-crypto-policies --set TEST-FEDORA39, continue using the system and note what breaks

2. update-crypto-policies --set FUTURE for those who get bored and want to discover more problems

3. Executing https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer tool that reports less issues, but provides the safest, extremely non-invasive approach for spotting a subset of the problematic scenarios since it only logs, not blocks SHA-1 signature usage in openssl

I don't have a good pre-set guidance of what exactly to test beyond the very basic suggestions of "update dnf metadata", "connect to VPNs if you use any", "fetch your email" and "try to identify something else you use that relies on cryptography". The most walked roads should probably be clear already, it's your imagination and exotic setups that I'm after.


Reporting bugs

All bugs should be reported into Bugzilla, against the component that relies on to-be-deprecated cryptographic operations. It's likely that you'll be unsure about what exactly would break, so let's investigate together on IRC (see instructions above).

After we confirm that it's indeed a bug triggered by the new change (by switching back and forth between policies and ensuring it's not present under DEFAULT), please file a ticket with a title starting with StrongCryptoSettings3: and link to https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2.

Test Results