[pve-devel] [PATCH proxmox-offline-mirror 2/2] fix #4632: allow escape hatches for legacy repositories
Fabian Grünbichler
f.gruenbichler at proxmox.com
Thu Apr 6 13:57:53 CEST 2023
On April 6, 2023 1:23 pm, Thomas Lamprecht wrote:
> Am 04/04/2023 um 09:48 schrieb Fabian Grünbichler:
>> there are still repositories out there that are using things like DSA/RSA-1024
>> and SHA1, so let's allow POM users to opt into accepting those insecure
>> cryptographic parameters, but keep the default settings secure.
>>
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
>> ---
>> src/bin/proxmox-offline-mirror.rs | 2 +
>> src/bin/proxmox_offline_mirror_cmds/config.rs | 4 ++
>> src/config.rs | 42 ++++++++++++++++++-
>> src/helpers/verifier.rs | 20 ++++++++-
>> src/mirror.rs | 17 +++++++-
>> 5 files changed, 81 insertions(+), 4 deletions(-)
>>
>> diff --git a/src/bin/proxmox-offline-mirror.rs b/src/bin/proxmox-offline-mirror.rs
>> index 3af33bb..bec366a 100644
>> --- a/src/bin/proxmox-offline-mirror.rs
>> +++ b/src/bin/proxmox-offline-mirror.rs
>> @@ -423,6 +423,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
>> use_subscription: None,
>> ignore_errors: false,
>> skip,
>> + weak_crypto: None,
>> });
>> }
>> }
>> @@ -438,6 +439,7 @@ fn action_add_mirror(config: &SectionConfigData) -> Result<Vec<MirrorConfig>, Er
>> use_subscription,
>> ignore_errors: false,
>> skip,
>> + weak_crypto: None,
>> };
>>
>> configs.push(main_config);
>> diff --git a/src/bin/proxmox_offline_mirror_cmds/config.rs b/src/bin/proxmox_offline_mirror_cmds/config.rs
>> index 3ebf4ad..696da11 100644
>> --- a/src/bin/proxmox_offline_mirror_cmds/config.rs
>> +++ b/src/bin/proxmox_offline_mirror_cmds/config.rs
>> @@ -274,6 +274,10 @@ pub fn update_mirror(
>> data.skip.skip_sections = Some(skip_sections);
>> }
>>
>> + if let Some(weak_crypto) = update.weak_crypto {
>> + data.weak_crypto = Some(weak_crypto);
>> + }
>> +
>> config.set_data(&id, "mirror", &data)?;
>> proxmox_offline_mirror::config::save_config(&config_file, &config)?;
>>
>> diff --git a/src/config.rs b/src/config.rs
>> index 39b1193..0e19c77 100644
>> --- a/src/config.rs
>> +++ b/src/config.rs
>> @@ -5,7 +5,7 @@ use lazy_static::lazy_static;
>> use proxmox_subscription::{sign::ServerBlob, SubscriptionInfo};
>> use serde::{Deserialize, Serialize};
>>
>> -use proxmox_schema::{api, ApiType, Schema, Updater};
>> +use proxmox_schema::{api, ApiStringFormat, ApiType, Schema, Updater};
>> use proxmox_section_config::{SectionConfig, SectionConfigData, SectionConfigPlugin};
>> use proxmox_sys::fs::{replace_file, CreateOptions};
>>
>> @@ -46,6 +46,38 @@ pub struct SkipConfig {
>> pub skip_packages: Option<Vec<String>>,
>> }
>>
>> +#[api(
>> + properties: {
>> + "allow-sha1": {
>> + type: bool,
>> + default: false,
>> + optional: true,
>> + },
>> + "min-dsa-key-size": {
>> + type: u64,
>> + optional: true,
>
> could we encode minimum value and default of 2048 here? As the existance of the option
> indicates that there is some minimum, and not knowing what that is, could be IMO slightly
> confusing for users.
yes
> I don't found a quick/easy way to get the actual value from sequioa, but raising this limit
> is probably either a breaking change or will be highlighted in any release notes so we
> should be made aware for when to update it if we just hard-code it here.
we could also define our own policy (or overrides for stuff we want to accept
for the time being, irrespective of sequoias standard policy) if we want.
there is some work[0] for making the policies loadable from a file, but that
would then tie us rather directly to sequoia if we offer that via our config
(also, the format is rather involved and not very user friendly).
0: https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/
>> + },
>> + "min-rsa-key-size": {
>> + type: u64,
>> + optional: true,
>
> same here.
>
More information about the pve-devel
mailing list