On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote:
Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a):
>
https://fedoraproject.org/wiki/Changes/CustomCryptoPolicies
>
> == Summary ==
> This new feature of crypto-policies allows system administrators
> and
> third party providers to modify and adjust the existing system-wide
> crypto policies to enable or disable algorithms and protocols.
>
> == Owner ==
> * Name: [[User:Tmraz | Tomáš Mráz]]
> * Email: tmraz(a)redhat.com
>
> == Detailed Description ==
>
> The crypto-policies package will be enhanced to allow system
> administrators to modify the existing system-wide crypto policy
> levels
> by removing or adding enabled algorithms and protocols. For example
> it
> will be possible to easily modify the existing DEFAULT
I just wonder what is the strategy here? Does it means that the
"DEFAULT" definition will be store permanently somewhere in /usr/ and
I'll be able to copy the DEFAULT into /etc and modify it according to
my
needs?
I am just asking, because AFAIK, currently the crypto policies
configuration is stored just in /etc and modifying the "DEFAULT"
profile
would make the updates problematic, requiring someone to file with
.rpmnew files etc. That would be unfortunate.
The configuration files will be created by a simple python application
(which the update-crypto-policies will transform into). You will
specify just the modifications that should be done to the base policy.
Please see
https://gitlab.com/redhat-crypto/fedora-crypto-policies/tree/custom-policies
to get the idea.
We might continue shipping the "unmodified" configurations in
/usr/share but I do not see much benefit in that except for being able
for the sysadmin to look at how the unmodified individual
configurations look like without applying the policy to the system.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]