On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote: > Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): > > https://fedoraproject.org/wiki/Changes/CustomCryptoPolicies > > > > == Summary == > > This new feature of crypto-policies allows system administrators > > and > > third party providers to modify and adjust the existing system-wide > > crypto policies to enable or disable algorithms and protocols. > > > > == Owner == > > * Name: [[User:Tmraz | Tomáš Mráz]] > > * Email: tmraz@xxxxxxxxxx > > > > == Detailed Description == > > > > The crypto-policies package will be enhanced to allow system > > administrators to modify the existing system-wide crypto policy > > levels > > by removing or adding enabled algorithms and protocols. For example > > it > > will be possible to easily modify the existing DEFAULT > > I just wonder what is the strategy here? Does it means that the > "DEFAULT" definition will be store permanently somewhere in /usr/ and > I'll be able to copy the DEFAULT into /etc and modify it according to > my > needs? > > I am just asking, because AFAIK, currently the crypto policies > configuration is stored just in /etc and modifying the "DEFAULT" > profile > would make the updates problematic, requiring someone to file with > .rpmnew files etc. That would be unfortunate. The configuration files will be created by a simple python application (which the update-crypto-policies will transform into). You will specify just the modifications that should be done to the base policy. Please see https://gitlab.com/redhat-crypto/fedora-crypto-policies/tree/custom-policies to get the idea. We might continue shipping the "unmodified" configurations in /usr/share but I do not see much benefit in that except for being able for the sysadmin to look at how the unmodified individual configurations look like without applying the policy to the system. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
