havege in polarssl not enabled and maintainer refuses to enable it (#1069394)
jdieter at lesbg.com
Wed Oct 1 15:59:52 UTC 2014
On 10/01/2014 03:33 PM, Matthew Miller wrote:
> On Wed, Oct 01, 2014 at 08:52:03AM +0300, Jonathan Dieter wrote:
>> The havege functions in the polarssl package are currently disabled
>> in the Fedora package. Newer releases of dolphin-emu, which are in
>> a popular external repository, require these functions.
>> According to https://bugzilla.redhat.com/show_bug.cgi?id=1069394#c1,
>> the HAVEGE feature is disabled because it's "controversial" and
>> "would lead to security problems", but the maintainer hasn't given
>> any more explanation than that in the bug report.
>> Is there any way we can get a second opinion on this? The external
> Yes there is. Since the objection is potentially security related, it would
> be good to get the input of the Fedora Security Team (probably on the
> security@ mailing list). Second, having had that conversation, if it still
> goes nowhere, file a ticket with FESCo.
Thanks Matthew for the roadmap on this. When doing further research to
try to work out where dolphin-emu was actually using the code, I found
that since dolphin-emu's latest release, they've switched to using
polarssl without the havege functions. I'm hoping we can backport those
commits into the latest release.
So, at this point, I think I'm going to desubmit (is that a word?
unsubmit?) my request for a second opinion and won't be pursuing this
any further. Apologies for any wasted time, and thanks Nikos for
explaining what havege is and why it shouldn't be used in this context.
More information about the devel