On 11/08/2017 06:08 PM, Björn 'besser82' Esser wrote:
Hello everyone, since there has been some discussion in the last time about removing libcrypt from glibc in some time [1,2,3,4] and splitting it out into a separate project which can evolve quicker, I'd like to hear your oppinion about replacing glibc's libcrypt with libxcrypt [5] for Fedora 29 (or 30).
I'd prefer this to happen in Fedora 28 if at all possible.
Anyways, before this can happen, there is still some work to be done with libxcrypt, like adding a FIPS mode or FIPS compliance in a different way.
I think the best way to achieve that would be to contribute libxcrypt (its interfaces and its peculiar build process) to some FIPS-validated cryptographic libraries, so that the actual algorithms and FIPS mode logic could be reused from that library.
Otherwise, unless you have experience dealing with FIPS requirements and getting cryptographic libraries through validation, I strongly recommend not to work on this at all. If and when we need this downstream, we can contribute exactly what is needed according to the auditors back upstream. Personally, I do not have a way to know what the requirements would be in advance.
Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
