| ID | 5208 |
| Package Name | crypto-policies |
| Version | 20250214 |
| Release | 1.gitfd9b9b9.el10.1.0.ydi.1~ydi.1 |
| Epoch | |
Draft | False |
| Source | git+https://github.com/xcp-ng-rpms/crypto-policies.git#c76891a15391cd8188c9a66d5771c57f9140f88f |
| Summary |
| Description |
| Built by | ydirson |
| State |
complete
|
| Volume |
DEFAULT |
| Started | Tue, 10 Mar 2026 15:47:01 UTC |
| Completed | Tue, 10 Mar 2026 15:48:23 UTC |
| Task | build (v9.0-u-ydi-a10, /xcp-ng-rpms/crypto-policies.git:c76891a15391cd8188c9a66d5771c57f9140f88f) |
| Extra | {'source': {'original_url': 'git+https://github.com/xcp-ng-rpms/crypto-policies.git?#c76891a15391cd8188c9a66d5771c57f9140f88f'}} |
| Tags |
|
| RPMs |
| src | |
|---|
|
crypto-policies-20250214-1.gitfd9b9b9.el10.1.0.ydi.1~ydi.1.src.rpm (info) (download) |
| noarch |
|
crypto-policies-20250214-1.gitfd9b9b9.el10.1.0.ydi.1~ydi.1.noarch.rpm (info) (download)
|
|
crypto-policies-pq-preview-20250214-1.gitfd9b9b9.el10.1.0.ydi.1~ydi.1.noarch.rpm (info) (download)
|
|
crypto-policies-scripts-20250214-1.gitfd9b9b9.el10.1.0.ydi.1~ydi.1.noarch.rpm (info) (download)
|
|
| Logs |
|
| Changelog |
* Tue Mar 10 2026 Yann Dirson <yann.dirson@vates.tech> - 20250214-1.gitfd9b9b9.1.0.ydi.1
- Add Requires(pre): /bin/sh to fix installation while bootstrapping a rootfs
- Allow x86_64_v2 explicitly in a hope to help koji build the package
* Tue Jul 15 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250214-1.gitfd9b9b9.1
- AD-SUPPORT-LEGACY: resurrect subpolicy as present in RHEL-9
* Fri Feb 14 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250214-1.gitfd9b9b9
- openssl: use both names for P384-MLKEM1024
* Tue Jan 28 2025 Alexander Sosedkin <asosedkin@redhat.com> - 20250128-1.git22421d3
- openssl: stricter enabling of Ciphersuites
- openssl: make use of -CBC and -AESGCM keywords
* Thu Nov 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241128-1.git0dd441c
- openssl: add TLS 1.3 Brainpool identifiers
* Tue Nov 26 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241126-1.gitd63f008
- alg_lists: mark MLKEM768 kex experimental
- openssh, libssh: refactor kx maps to use tuples
- openssh: map mlkem768x25519-sha256 to KEM-ECDH & MLKEM768-X25519 & SHA2-256
- update-crypto-policies: skip warning on --set=FIPS if bootc
- update-crypto-policies: don't output FIPS warning in fips mode
* Wed Nov 06 2024 Clemens Lang <cllang@redhat.com> - 20241106-2.git7073416
- fips-mode-setup: Remove
Resolves: RHEL-65652
* Wed Nov 06 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241106-1.git1bdaba3
- gnutls: add GROUP-X25519-MLKEM768 and GROUP-SECP256R1-MLKEM768
- nss: add mlkem768x25519 and mlkem768secp256r1
* Tue Nov 05 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241105-1.git978ac26
- gnutls: `allow-rsa-pkcs1-encrypt = false` everywhere but in LEGACY
* Mon Nov 04 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241104-1.git6a67b8c
- openssl: use both names for SecP256r1MLKEM768 / X25519MLKEM768
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 20241021-2.gitd5393d5
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Oct 21 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241021-1.gitd5393d5
- TEST-PQ, openssh: add support for mlkem768x25519-sha256 key_exchange
- openssh: remove sntrup761x25519-sha512@openssh.com key_exchange
* Thu Oct 10 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20241010-1.git7a71364
- reintroduce TEST-PQ (ML-DSA/ML-KEM) in a crypto-policies-pq-preview subpackage
- LEGACY: enable 192-bit ciphers for nss pkcs12/smime
- LEGACY: drop cipher@pkcs12 = SEED-CBC
- fips-mode-setup: tolerate fips dracut module presence w/o FIPS
- nss: be stricter with new purposes
* Wed Aug 28 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240828-1.gitd249111
- fips-mode-setup: small Argon2 detection fix
* Thu Aug 22 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240822-1.git367040b
- fips-mode-setup: block if LUKS devices using Argon2 are detected
* Wed Aug 07 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240807-1.git7ea320f
- fips-crypto-policy-overlay: a unit to automount FIPS policy when fips=1
- fips-setup-helper: add a libexec helper for anaconda
- fips-mode-setup: force --no-bootcfg when UKI is detected
* Fri Aug 02 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240802-1.git8cb6f2d
- nss: rewrite backend for nss 3.101
* Thu Jul 25 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240725-1.git3de485c
- nss: wire KYBER768 to X25519-XYBER768D00
- java: start controlling / disable DTLSv1.0
- java: disable anon ciphersuites, tying them to NULL
- java: respect more key size restrictions
- java: specify jdk.tls.namedGroups system property
- java: make hash, mac and sign more orthogonal
- fips-mode-setup: add another scary "unsupported"
- fips-mode-setup: flashy ticking warning upon use
- java: use and include jdk.disabled.namedCurves
- ec_min_size: introduce and use in java, default to 256
- java: stop specifying jdk.tls.namedGroups in javasystem
- java: drop unused javasystem backend
- openssh: make dss no longer enableble, support is dropped
- LEGACY: disable sign = *-SHA1
- DEFAULT: disable RSA key exchange
- nss: TLS-REQUIRE-EMS in FIPS
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 20240522-2.git77963ab
- Bump release for June 2024 mass rebuild
* Wed May 22 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240522-1.git77963ab
- Switch to a version based on Fedora 41 crypto-policies
(20240521-1.gitf71d135.fc41),
thus replace the changelog below with Fedora changelog
- Shape up RHEL-10: remove GOST-ONLY policy and GOST subpolicy
- Shape up RHEL-10: remove NEXT policy
- Shape up RHEL-10: remove BSI policy
- Shape up RHEL-10: remove TEST-FEDORA41 policy
- Shape up RHEL-10: remove NO-SHA1 subpolicy
- Shape up RHEL-10: remove SHA1 subpolicy
- Shape up RHEL-10: remove TEST-PQ policy
- Shape up RHEL-10: disable CAMELLIA in all policies...
- Shape up RHEL-10: drop FFDHE-1024 from LEGACY
- Shape up RHEL-10: DEFAULT: remove Fedora-only DSA-SHA1 RPM enablement
- Shape up RHEL-10: remove Fedora-specific __openssl_block_sha1_signatures...
- Shape up RHEL-10: disable 3DES in LEGACY
- Shape up RHEL-10: disable DSA
- Shape up RHEL-10: mark LEGACY as 80-bit security (@tomato42)
- Shape up RHEL-10: require TLSv1.2/DTLSv1.2 in all policies
- Shape up RHEL-10: requre 2048 bit params in LEGACY
- Shape up RHEL-10: FUTURE: disable CBC ciphers for all but krb5
- Shape up RHEL-10: disable DHE-DSS even in LEGACY
- Shape up RHEL-10: gnutls: explicit ECDSA-SECPNNNR1-SHANNN + reorder
- Shape up RHEL-10: openssh: disable DHE-FFDHE-1024-SHA1 server config hack
- Shape up RHEL-10: FIPS: disable SHA-1 HMAC in FIPS policy
- Shape up RHEL-10: FIPS: disable CBC ciphers except in Kerberos
- Shape up RHEL-10: policies/modules: update AD-SUPPORT away from RC4/MD5
- Shape up RHEL-10: drop DNSSEC SHA-1 exception from DEFAULT
* Tue May 21 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240521-1.gitf71d135
- nss: unconditionally include p11-kit-proxy
- TEST-PQ: update algorithm list, mark all PQ algorithms experimental
* Wed May 15 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240515-1.gita24a14b
- gnutls: use tls-session-hash option, enforcing EMS in FIPS mode
- gnutls: DTLS 0.9 is controllable again
- gnutls: remove extraneous newline
- openssh: remove support for old names of RequiredRSASize
* Wed Mar 20 2024 Alexander Sosedkin <asosedkin@redhat.com> - 20240320-1.git58e3d95
- modules/FEDORA32, FEDORA38, TEST-FEDORA39: drop
- openssl: mark liboqsprovider groups optional with ?
- TEST-PQ: add more group and sign values, marked experimental
- TEST-FEDORA41: add a new policy with __openssl_block_sha1_signatures = 1
- TEST-PQ: also enable sntrup761x25519-sha512@openssh.com
|
