There is also the main matrix room which is at #security:fedoraproject.org which gets double duty use for security discussions as well as discussion for the Security-Lab Spin. It's the evolution of the original security IRC room. It's more of a general contact point for people in the Fedora Community with questions or wanting to bring up a security topic. It's fully public, so dont post embargoed information there.
JT
JT
On Tue, Aug 20, 2024 at 7:43 AM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote:
On Tue, Aug 20, 2024 at 12:54:52PM +0200, Fabio Valentini wrote:
> On Sun, Aug 18, 2024 at 5:23 PM Andrew Bauer
> <zonexpertconsulting@xxxxxxxxxxx> wrote:
> >
> > Thanks everyone for the great responses.
> >
> > I'll certainly check out the Matrix room if I have to, but I was hoping I could do this in a way that allows me to directly reference any responses I get via link in the following new package request:
> > https://bugzilla.redhat.com/show_bug.cgi?id=2302646
> >
> > The Netatalk project is moving from OpenSSL -> WolfSSL. Hence there is a need to add WolfSSL package to Fedora repos.
> >
> > It has already gone through the normal approval process, but the question was raised whether this needs an additional approval from the Fedora Security Team, since this is a crypto library.
>
> I raised this question due to this section in the packaging guidelines:
> https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_new_crypto_libraries
>
> > New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team.
>
> The question whether wolfssl complies with system crypto policies
> hasn't been answered, as far as I can tell, so I don't appreciate that
> the package was already imported to Fedora regardless.
Yep, it certainly appears that the approval of wolfssl is non-compliant
with the packaging guidelines. There's no sign of any code in wolfssl
that would honour crypto policies, and there is no approved FPC exception
is listed in the review ticket. The response asserting that this paragraph
is too vague & doesn't apply is dubious at best, as IMHO the guidline
quoted above is succient & clear - a FPC exception is required in this
case.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue