On Fri, Mar 14, 2014 at 06:24:36PM -0400, Eric H. Christensen wrote: > On Fri, Mar 14, 2014 at 08:01:53PM +0000, Matthew Garrett wrote: > > If an incorrect choice means that the software the user wants to run > > won't run, that's going to be a problem for the user. And we presumably > > expect that some software won't run, because otherwise we'd be enabling > > that security feature by default? A user who accidentally installs a > > profile that enables FIPS compliance is going to have a bad time, for > > instance. > > No, that's not exactly it. I've pointed out reasons why defaults > usually suck (security-wise). I've yet to see a hardened system make > software fail. I'd love some examples of your concerns. I also don't > understand why FIPS compliance will make a user have a bad time since > I've been on systems that were fully FIPS compliant and didn't have > any problems. You don't think it would upset users to have their kernel panic if they accidentally tried to load an inappropriately signed module? What happens if I ssh to a server that doesn't implement any of the FIPS-approved algorithms? Why is Firefox suddenly asking for a password before I can visit https sites? Why won't Firefox speak https to a bunch of sites? -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
