Re: Schedule for Monday's FESCo Meeting (2021-08-23)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Aug 24, 2021 at 12:07 AM Chris Adams <linux@xxxxxxxxxxx> wrote:
>
> Once upon a time, Alexander Sosedkin <asosedkin@xxxxxxxxxx> said:
> > Sure. Crypto-policies are there to give you control of what's enabled,
> > ideally what's enabled by default.
> >
> > 1) There's a blanket `update-crypto-policies --set LEGACY`
> > 2) There's a possibility to reenable disabled algorithms with custom policies,
> >    allowing to go even lower than LEGACY (which you
> >    shouldn't really do on public networks, but who's there to stop you)
> > 3) (F35+) There's a possibility to reenable algorithms per backends,
> >    say, for NSS, Java or krb5 only
> > 4) (In an ideal world) crypto-policies settings should act as defaults,
> >    meaning apps should be able to further modify them,
> >   offer weaker methods with a warning, etc
> > 5) There are total per-backend opt-out mechanisms / procedures
>
> Missing #4 is what makes a lot of this not as useful.

Yes, and consider myself to be the person who needs
the least amount of convincing on that subject [1].
Work is underway to shift away from it in gnutls case.

> I understand the effort that has gone into this
> and appreciate stepping up security,
> but... what matters as a user is "can I get to this site in Firefox",
> "does this VPN work", etc.  Browsers are probably the highest-impact
> user of this, and it is all-or-nothing there AFAIK.  Having to lower the
> level across the board so that I can download router firmware images or
> connect to my work VPN kind of scraps all the effort.

[1] https://gitlab.com/gnutls/gnutls/-/issues/1172
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux