Dne 19. 06. 19 v 12:00 Tomas Mraz napsal(a): > On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote: >> Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): >>> https://fedoraproject.org/wiki/Changes/CustomCryptoPolicies >>> >>> == Summary == >>> This new feature of crypto-policies allows system administrators >>> and >>> third party providers to modify and adjust the existing system-wide >>> crypto policies to enable or disable algorithms and protocols. >>> >>> == Owner == >>> * Name: [[User:Tmraz | Tomáš Mráz]] >>> * Email: tmraz@xxxxxxxxxx >>> >>> == Detailed Description == >>> >>> The crypto-policies package will be enhanced to allow system >>> administrators to modify the existing system-wide crypto policy >>> levels >>> by removing or adding enabled algorithms and protocols. For example >>> it >>> will be possible to easily modify the existing DEFAULT >> I just wonder what is the strategy here? Does it means that the >> "DEFAULT" definition will be store permanently somewhere in /usr/ and >> I'll be able to copy the DEFAULT into /etc and modify it according to >> my >> needs? >> >> I am just asking, because AFAIK, currently the crypto policies >> configuration is stored just in /etc and modifying the "DEFAULT" >> profile >> would make the updates problematic, requiring someone to file with >> .rpmnew files etc. That would be unfortunate. > The configuration files will be created by a simple python application > (which the update-crypto-policies will transform into). You will > specify just the modifications that should be done to the base policy. > > Please see > https://gitlab.com/redhat-crypto/fedora-crypto-policies/tree/custom-policies > to get the idea. > > We might continue shipping the "unmodified" configurations in > /usr/share but I do not see much benefit in that except for being able > for the sysadmin to look at how the unmodified individual > configurations look like without applying the policy to the system. > Looking at "unmodified" configuration is great benefit on itself. Being able to `rm -rf /etc/cryptopolicies` (or whatever is the right folder) to restore the original configuration would be even better. But maybe the "update-crypto-policies" creates configuration files for several cryptolibraries, so this might not be possible without modification of those libraries, dunno. Vít _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
