Re: deltarpm usefulness?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen John Smoogen <smooge@xxxxxxxxx> writes:

> On Mon, 8 Nov 2021 at 04:32, Michael Schroeder <mls@xxxxxxx> wrote:
>>
>> On Sat, Nov 06, 2021 at 07:43:02AM -0000, Daniel Alley wrote:
>> > Another issue - which is not per-se a security issue but it's still a problem - is that deltarpm uses md5 checksums pervasively.  They're everywhere.  And it uses its own implementation of md5 which doesn't respect FIPS, so even when the user has *explicitly* configured their system to not use md5 for anything security-relevant, libdeltarpm won't know or care.
>>
>> They are used as a consistency check, it might as well use crc32.
>> So I don't see why FIPS is a concern for you.
>>
>
> In order to get the overall system to be FIPS (and equivalent EU/RU/CN
> ones) certified all the implementations of various functions have to
> be audited and reviewed. Some must be able to be turned off no matter
> what. It doesn't matter if 99 of the 100 versions of md5um are only
> for consistency, they must be able to be turned off/not used and not
> affect the system.

I don't think that's quite accuroate.  If the crypto primitive isn't
being used for security, then FIPS isn't interested - FIPS is only
certifying the cryptography used, and this isn't it.  (It's non-FIPS
relevant.)

This leads to a very common workaround for legacy cryptosystems of
tunneling the "bad" crypto in something else: one example is interacting
with RC4 and NTLM, where they're still used but over a tunnel (TLS, VPN,
etc.) that doesn't expose them.

Be well,
--Robbie

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux