Concern about FedoraCryptoConsolidation
Paul Wouters
pwouters at redhat.com
Tue May 7 15:16:36 UTC 2013
On Tue, 7 May 2013, Matej Cepl wrote:
> Subject: Re: Concern about FedoraCryptoConsolidation
>
> On 2013-05-07, 04:10 GMT, Richard Levenberg wrote:
>> https://fedoraproject.org/wiki/FedoraCryptoConsolidation
>>
>> While I understand the reasons for this idea of Consolidation I have a
>> concern that very valid use cases are being ignored or unknown. As an
>> example I have a use case supported with curl and OpenSSL like this:
>
> I wouldn't be much worried about that project. See the date of that page
> and state of the (non-)consolidation in the current Fedora.
We should be worried. The proliferance of basement crypto is a real problem.
If you want your package to get into RHEL, you will need to ensure your
package has no home grown crypto, and uses either nss, openssl or libgcrypt.
This will also allow FIPS mode to work.
Also note that some things listed in the above url are actively worked on, eg:
http://fedoraproject.org/wiki/Features/SharedSystemCertificates
It would be great if we had the resources to start making an inventory
of the problem, let alone the resources to resolve these.
Instead, we seem to be seeing an increase in new library use, such as
nacl and botan.
Look at how many bugs there have been found in openssl and nss. And
those packages have seen many many eye balls, both acedemic and
commercial.
Paul
More information about the devel
mailing list