On Mon, 8 Nov 2021 at 04:32, Michael Schroeder <mls@xxxxxxx> wrote:
>
> On Sat, Nov 06, 2021 at 07:43:02AM -0000, Daniel Alley wrote:
> > Another issue - which is not per-se a security issue but it's still a problem - is that deltarpm uses md5 checksums pervasively. They're everywhere. And it uses its own implementation of md5 which doesn't respect FIPS, so even when the user has *explicitly* configured their system to not use md5 for anything security-relevant, libdeltarpm won't know or care.
>
> They are used as a consistency check, it might as well use crc32.
> So I don't see why FIPS is a concern for you.
>
In order to get the overall system to be FIPS (and equivalent EU/RU/CN
ones) certified all the implementations of various functions have to
be audited and reviewed. Some must be able to be turned off no matter
what. It doesn't matter if 99 of the 100 versions of md5um are only
for consistency, they must be able to be turned off/not used and not
affect the system.
[ The reason why we can't have nice things is that various
super-programmers who see that 99 versions of md5sum are gone, but
find that one call in say librpm which still exists, so they make a
wrapper to it and then tie the bank code to it. Next thing you know,
you find yourself not just on the Register as a story about code gone
wrong but on the front page of various financial newspapers due to
bank losses.]
> Cheers,
> Michael.
>
> --
> Michael Schroeder SUSE Software Solutions Germany GmbH
> mls@xxxxxxx GF: Felix Imendoerffer HRB 36809, AG Nuernberg
> main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Stephen J Smoogen.
Let us be kind to one another, for most of us are fighting a hard
battle. -- Ian MacClaren
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
