On Wed, 2019-06-19 at 12:49 +0200, Vít Ondruch wrote: > Dne 19. 06. 19 v 12:00 Tomas Mraz napsal(a): > > On Wed, 2019-06-19 at 10:19 +0200, Vít Ondruch wrote: > > > Dne 18. 06. 19 v 21:50 Ben Cotton napsal(a): > > > > https://fedoraproject.org/wiki/Changes/CustomCryptoPolicies > > > > > > > > == Summary == > > > > This new feature of crypto-policies allows system > > > > administrators > > > > and > > > > third party providers to modify and adjust the existing system- > > > > wide > > > > crypto policies to enable or disable algorithms and protocols. > > > > > > > > == Owner == > > > > * Name: [[User:Tmraz | Tomáš Mráz]] > > > > * Email: tmraz@xxxxxxxxxx > > > > > > > > == Detailed Description == > > > > > > > > The crypto-policies package will be enhanced to allow system > > > > administrators to modify the existing system-wide crypto policy > > > > levels > > > > by removing or adding enabled algorithms and protocols. For > > > > example > > > > it > > > > will be possible to easily modify the existing DEFAULT > > > I just wonder what is the strategy here? Does it means that the > > > "DEFAULT" definition will be store permanently somewhere in /usr/ > > > and > > > I'll be able to copy the DEFAULT into /etc and modify it > > > according to > > > my > > > needs? > > > > > > I am just asking, because AFAIK, currently the crypto policies > > > configuration is stored just in /etc and modifying the "DEFAULT" > > > profile > > > would make the updates problematic, requiring someone to file > > > with > > > .rpmnew files etc. That would be unfortunate. > > The configuration files will be created by a simple python > > application > > (which the update-crypto-policies will transform into). You will > > specify just the modifications that should be done to the base > > policy. > > > > Please see > > https://gitlab.com/redhat-crypto/fedora-crypto-policies/tree/custom-policies > > to get the idea. > > > > We might continue shipping the "unmodified" configurations in > > /usr/share but I do not see much benefit in that except for being > > able > > for the sysadmin to look at how the unmodified individual > > configurations look like without applying the policy to the system. > > > > Looking at "unmodified" configuration is great benefit on itself. Unmodified from what? What I meant above were the unmodified pristine DEFAULT, LEGACY, FUTURE or FIPS configurations, not something like library default configuration without crypto policies. > Being able to `rm -rf /etc/cryptopolicies` (or whatever is the right > folder) to restore the original configuration would be even better. > But > maybe the "update-crypto-policies" creates configuration files for > several cryptolibraries, so this might not be possible without > modification of those libraries, dunno. But no such thing was ever possible since crypto policies were introduced and there is currently no plan to do that. This is certainly out of scope for the Custom Crypto Policies change. I am also not sure what do you mean exactly by "original configuration" - do you mean the configuration if there was no crypto-policies on the system? Then that would require more configuration handling changes on the individual crypto backend libraries/applications. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
