Another status update:
1. USDT/eBPF tracing turned out to be a fruitful logging approach.
Clemens Lang has kindly added USDT probes to the latest openssl builds,
traceable with a small tool [1] available from a copr [2].
Yes, this way it doesn't log into your face unpromptedly,
like stderr logging would, but, in turn, it's so non-invasive
that we're comfortable with bringing it to Fedora 36 as well.
2. crypto-policies has added FEDORA38 and TEST-FEDORA39 policies
for not following the change and testing it early correspondingly.
3. change wiki pages have been drafted for all 4 proposed rollout phases,
the Fedora 36 one has been marked as ChangeReadyForWrangler.
What I'd like some community help with beyond regular guidance:
1. reviews for the relevant wiki pages:
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning1
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning2
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3Forewarning3
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings3
https://fedoraproject.org/wiki/SHA1SignaturesGuidance
https://fedoraproject.org/wiki/WeakCryptographyException
2. proposing the testing activities outlined there for Test Days.
how is it done?
[1]
https://gitlab.com/redhat-crypto/fedora-sha1sig-tracer
[2]
https://copr.fedorainfracloud.org/coprs/asosedkin/sha1sig-tracer