Tuesday, June 30, 2026

F45 Change Proposal: oo7 Secrets Service Provider (system-wide)

Wiki - https://fedoraproject.org/wiki/Changes/oo7_Secrets_Service_Provider Discussion thread - https://discussion.fedoraproject.org/t/f45-change-proposal-oo7-secrets-service-provider-system-wide/195274 This is a proposed Change for Fedora Linux. This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Switch the default Secrets Service provider for Fedora desktops from KWallet and GNOME Keyring to oo7. == Owner == * Name: [[User:ngompa| Neal Gompa]], [[User:decathorpe| Fabio Valentini]], [[User:salimma| Michel Lind]] * Email: ngompa13@gmail.com, decathorpe@gmail.com, michel@michel-slm.name == Detailed Description == A new universal secrets storage system has been developed in the form of [https://github.com/linux-credentials/oo7 oo7] that replaces KWallet's backend and GNOME Keyring. Package up <code>oo7-daemon</code> and associated support code and change the Fedora default secrets storage backend to it across all desktops. == Feedback == == Benefit to Fedora == The idea with this new secrets storage system is to support a new model for credentials where scoped authorization is possible for applications and services. Additionally, it opens the door for mediating access to FIDO2-based authentication mechanisms. This lends itself well to enabling limited trust to secrets for sandboxed applications, among other things. KDE Plasma, COSMIC, and GNOME (among others) are all converging on this and so enabling this allows Fedora to remain at the forefront of supporting desktop technologies. == Scope == * Proposal owners: ** Package <code>oo7-daemon</code>, PAM module, and other support code ** Add oo7 PAM module to relevant PAM configs where gnome-keyring and kwallet PAM modules are listed ** Adjust comps to replace gnome-keyring with oo7-daemon ** Adjust dependencies in desktops to use oo7 instead of gnome-keyring * Other developers: N/A (not needed for this Change) * Release engineering: [https://forge.fedoraproject.org/releng/tickets/issues/13405 #13405] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with the Fedora Strategy: N/A (not needed for this Change) == Upgrade/compatibility impact == The oo7 service will automatically migrate existing data from GNOME Keyring and KWallet, so no user interaction is required to handle the transition. == How To Test == Once oo7-daemon and related code are packaged and updated configuration lands in Rawhide, users can test this simply by upgrading and using things that leverage the secrets service like normal. == User Experience == This is expected to be fairly transparent to the user. == Dependencies == This will involve updating the PAM configuration files for the desktops and login managers used across Fedora deliverables. == Contingency Plan == * Contingency mechanism: Revert swap to oo7 and defer to the next release * Contingency deadline: Beta freeze * Blocks release? Yes == Documentation == More information about oo7 is present in [https://docs.rs/oo7/ the upstream project documentation]. == Release Notes == Fedora Linux now uses the oo7 as the default secrets service provider, replacing older solutions like GNOME Keyring. This brings enhanced security to secrets management, particularly for sandboxed applications, and enables FIDO2 authentication secrets. -- Aoife Moloney Fedora Operations Architect Fedora Project Matrix: @amoloney:fedora.im IRC: amoloney -- _______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

No comments:

Post a Comment