On Tue, Jun 5, 2018 at 2:27 PM, John Florian <john@xxxxxxxxxxxxx> wrote: > On 06/05/2018 12:55 PM, Chris Murphy wrote: >> >> I don't understand the motivation of departing from upstreams, which >> by their nature are on a knife's edge balancing security and practical >> use in the real world. Why second guess that effort and on what basis? > > Totally agree! >> >> Slightly off topic as an anecdote, but the Payment Card Industry Data >> Security Standard (PCI DSS) is only calling for the end to TLS 1.0 >> support at the end of this month, recommending TLS 1.2 but permitting >> TLS 1.1. This is the spec for transmitting people's credit card >> magnetic stripe/chip information for payment authorizations. Now maybe >> that's a bit eyebrow raising, but if they're willing to take the risk >> of allowing TLS 1.1 for such a use case, I hardly think Fedora should >> be jumping the gun. > > That's why there's transaction fees. Oops! Oh well, here's a few million > to deal with that. They advertise like they can't get rid of the money fast > enough. I always figured the Visa "Magic Moments" were something like hot > database redirection where some transactions fell off the end of the cable, > landed on the floor and turned into customer's lucky day simply due to the > timing. Like it was easier/cheaper to give away the fruits rather than fix > the real problem. Yes that's true, and so the analogy fails on this point, they're effectively dragging everyone into an insurance racket. But the contra argument is Fedora isn't providing guarantees or charging fees, and we're not on questionable footing by following the lead of upstreams on the issue of security. > I doubt it's actually like that, but I do bet they have more luxury than > Fedora does. While I'd prefer the best security, I don't want it at the > risk of things being broken. I don't have the confidence that my work > around is as safe as an older more trusting Fedora. When I see those cipher > suite strings my head just goes into a tailspin. I think second guessing any upstream is fair. But it also comes with burden of making a really compelling argument that upstream is isn't adequately serving Fedora community interests. And that argument needs to be dropped in the lap of the upstream so they have a chance of responding to the criticism. Maybe it makes more sense Fedora is aggressive on security by default, and we push flatpak versions of Firefox (or other browser) configured to support TLS 1.0 and 1.1 as the way to provide legacy support. But my first instinct is that Fedora's in parity with upstream, and the Security spin folks can produce the more aggressively secure variant. *shrug* -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/IN7CZESP6Q4RBAS4O7CGGMPYNTWN66ZB/
