On 03/25/2014 01:18 PM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/24/2014 10:14 PM, Kenjiro Nakayama wrote:
Hi,
Although I have created new ticket[1], I get no response yet. Can anyone take a look, or how long should I wait?
I'm not speaking for the FPC (I'm not a member),
I am a member of the FPC, but am only speaking for myself, here ...
but in general, it's preferred to modify the package to consume one of the approved crypto libraries if at all possible. It's very dangerous to allow bundled crypto implementations in the system because there are no guarantees that flaws will be fixed in a timely manner.
... I concur with you.
These days, bundling any cryptography related routines (and static linkage against libs containing cryptographic routines) has become hardly acceptable and hardly tolerable.
That said, I am in favor of FPC to ban any bundled encryption routines, aiming at trying to concentrate such routines into very few packages/libraries. I am aware, enforcing this will likely be tedious, but I feel it's the only alternative Fedora has to keep the risks of users being endangered by compromised cryptography low.
Ralf