On 03/25/2014 01:18 PM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On 03/24/2014 10:14 PM, Kenjiro Nakayama wrote:
> Although I have created new ticket, I get no response yet. Can
> anyone take a look, or how long should I wait?
>  https://fedorahosted.org/fpc/ticket/407
I'm not speaking for the FPC (I'm not a member),
I am a member of the FPC, but am only speaking for myself, here ...
but in general, it's
preferred to modify the package to consume one of the approved crypto
libraries if at all possible. It's very dangerous to allow bundled
crypto implementations in the system because there are no guarantees
that flaws will be fixed in a timely manner.
... I concur with you.
These days, bundling any cryptography related routines (and static
linkage against libs containing cryptographic routines) has become
hardly acceptable and hardly tolerable.
That said, I am in favor of FPC to ban any bundled encryption routines,
aiming at trying to concentrate such routines into very few
packages/libraries. I am aware, enforcing this will likely be tedious,
but I feel it's the only alternative Fedora has to keep the risks of
users being endangered by compromised cryptography low.