On Thu, 2014-02-27 at 16:35 +0000, Colin Walters wrote: > wrote: > > and being applied after executing update-crypto-profiles. (Note: it > > would be better to have a daemon that watches those files and runs > > update-crypto-profiles automatically) > Was the option of patching the libraries to *directly* read this new > config file and prefer it over their own internal ones considered? Hello, Do you mean ignoring any other configured option? If we enforce something like that, there will not be any easy way to override the defaults, and I think that it would most probably result into forum advices like "delete the crypto profile file", or "set a very weak profile that would work everywhere". That result would be undesirable, but there is a practical reason too. There are strings in openssl and gnutls that enable PSK ciphersuites or other exotic options for some applications, that we will not have enabled in a system wide policy (not initially at least). regards, Nikos -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
