Quoting Kevin Kofler via devel (2022-06-30 14:15:04)
You are making two doubtful assumptions:
1. That the users will bother reporting their issues to the server
administrators at all. I would expect them to just blame Fedora for it and
move to a different operating system that just works, or at most to apply a
local workaround (what I called "jump through hoops", e.g., changing the
system crypto policy to LEGACY and/or loading the legacy provider with its
legacy algorithms into OpenSSL) and then forget about it.
2. That the server administrators will actually care about complaints
from
non-Windows users, assuming they even read user complaints at all to begin
with, and that they will be willing to switch to newer (more secure)
algorithms that may break compatibility with some ancient operating systems
that other users might still use.
I agree with your statements
but I do not make the assumptions you prescribe to me.
I'm painfully aware that progress doesn't happen magically
when we break something in Fedora.
Hoops are a horrible propellant of progress,
but still the best one we have.
I do not believe that Fedora actually has any levy to get server
administrators to upgrade their setups.
We have to work with whatever obsolete junk is out there.
Is Fedora supposed to be a locomotive of secure defaults?
In an attempt to slow down devolving into opinion-vs-opinion,
let me back mine with
https://docs.fedoraproject.org/en-US/project:
Four Foundations: First
We are committed to innovation.
We are not content to let others do all the heavy lifting on our behalf;
we provide the latest in stable and robust, useful,
and powerful free software in our Fedora distribution.
At any point in time, the latest Fedora platform
shows the future direction of the operating system
as it is experienced by everyone from the home desktop user
to the enterprise business customer.
Our rapid release cycle
is a major enabling factor in our ability to innovate.
We recognize that there is also a place for long-term stability in the
Linux ecosystem, and that there are a variety of community-oriented
and business-oriented Linux distributions available to serve that need.
However, the Fedora Project’s goal of advancing free software dictates
that the Fedora Project itself pursue a strategy
that preserves the forward momentum of our technical,
collateral, and community-building progress.
Fedora always aims to provide the future, first.
In terms of cryptographic defaults, Fedora even lags behind RHEL,
so requests to slow down even further don't elicit much support from me.
If one day this page replaces "First" with, say,
"Compatibility: we have to work with whatever obsolete junk is out there,
security comes second", I will concede.
But today, I think the current pace of
deprecations *in the default configuration*
doesn't just align with Fedora's goals, it's slower than it should be.
Non-default configurations are a different beast altogether,
and the users' feet-shooting freedom is something we should defend, yes.
But the defaults have to march on unabated.