On Wed, 2016-09-28 at 11:43 -0400, Matthew Miller wrote:
On Wed, Sep 28, 2016 at 03:13:34PM +0100, Tomasz Kłoczko wrote:
>
> Is it any official Fedora policy/call to move away from openssl?
As far as I know, no. There was this attempt:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
but as the top of the page notes, the effort has been abandoned.
(It's
basically impossible to change every project in the world.) From that
document, though:
The libraries that should be preferred instead of arbitrary other
crypto stacks are (in the order of the preference):
1. NSS
2. GNUTLS (with nettle as crypto backend, but nettle never used
directly by applications)
3. OpenSSL
4. libgcrypt
and it might be reasonable to keep this as a "if possible, please
prefer" policy rather than a mandate.
I'd like to underline the part _preferrably the version recommended by
upstream_ of Packaging:CryptoPolicies. I believe it is best for us to
use the code that upstream primarily considers best for the
application.
regards,
Nikos