Once upon a time, Alexander Sosedkin <asosedkin@xxxxxxxxxx> said: > Sure. Crypto-policies are there to give you control of what's enabled, > ideally what's enabled by default. > > 1) There's a blanket `update-crypto-policies --set LEGACY` > 2) There's a possibility to reenable disabled algorithms with custom policies, > allowing to go even lower than LEGACY (which you > shouldn't really do on public networks, but who's there to stop you) > 3) (F35+) There's a possibility to reenable algorithms per backends, > say, for NSS, Java or krb5 only > 4) (In an ideal world) crypto-policies settings should act as defaults, > meaning apps should be able to further modify them, > offer weaker methods with a warning, etc > 5) There are total per-backend opt-out mechanisms / procedures Missing #4 is what makes a lot of this not as useful. I understand the effort that has gone into this and appreciate stepping up security, but... what matters as a user is "can I get to this site in Firefox", "does this VPN work", etc. Browsers are probably the highest-impact user of this, and it is all-or-nothing there AFAIK. Having to lower the level across the board so that I can download router firmware images or connect to my work VPN kind of scraps all the effort. -- Chris Adams <linux@xxxxxxxxxxx> _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
