FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 04-26-2011, 01:04 PM
Bastien ROUCARIES
 
Default Crypto consolidation in debian ?

Dear dd,

I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?

Moreover a lot of keyring solution are available for the desktop but
are not directly compatible between them, and is near a nightmare (for
instance mozilla is not compatible with kde pinning that is not
compatible with gnome). This goal is one of the first step to offer a
common framework for crypto and keyring unification.

Comments welcome.

Bastien

[1]http://fedoraproject.org/wiki/FedoraCryptoConsolidation


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTinOV0W=O1tQM1jk2GzhvGPXn3k_pA@mail.gmail.com ">http://lists.debian.org/BANLkTinOV0W=O1tQM1jk2GzhvGPXn3k_pA@mail.gmail.com
 
Old 04-26-2011, 03:08 PM
Philipp Kern
 
Default Crypto consolidation in debian ?

On 2011-04-26, Bastien ROUCARIES <roucaries.bastien@gmail.com> wrote:
> I have seen that fedora is trying to consolidate the number of crypto
> package shipped [1]. What do you think about this goal ?

Is there any progress on Fedora's effort? So far it seemed like Vaporware to
me. (Given that it's not exactly a Fedora feature that's proposed there,
which are tracked with progress separately for each release.)

Kind regards
Philipp Kern


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: slrnirdo03.9ee.trash@kelgar.0x539.de">http://lists.debian.org/slrnirdo03.9ee.trash@kelgar.0x539.de
 
Old 04-26-2011, 03:22 PM
Bastien ROUCARIES
 
Default Crypto consolidation in debian ?

On Tue, Apr 26, 2011 at 5:08 PM, Philipp Kern <trash@philkern.de> wrote:
> On 2011-04-26, Bastien ROUCARIES <roucaries.bastien@gmail.com> wrote:
>> I have seen that fedora is trying to consolidate the number of crypto
>> package shipped [1]. What do you think about this goal ?
>
> Is there any progress on Fedora's effort? *So far it seemed like Vaporware to
> me. *(Given that it's not exactly a Fedora feature that's proposed there,
> which are tracked with progress separately for each release.)

According to wiki history it seems they are progress see [2]

Bastien

[2] https://fedoraproject.org/w/index.php?title=CryptoConsolidationScorecard&actio n=history

> Kind regards
> Philipp Kern
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/slrnirdo03.9ee.trash@kelgar.0x539.de
>
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTikapCjQbHkZAMvZz3efWzhMa9jQ9Q@mail.gmail.com ">http://lists.debian.org/BANLkTikapCjQbHkZAMvZz3efWzhMa9jQ9Q@mail.gmail.com
 
Old 04-26-2011, 05:20 PM
 
Default Crypto consolidation in debian ?

On Apr 26, Bastien ROUCARIES <roucaries.bastien@gmail.com> wrote:

> I have seen that fedora is trying to consolidate the number of crypto
> package shipped [1]. What do you think about this goal ?
While I believe it to be a worthwhile goal, I have serious doubts that
we should actively switch packages to NSS when this causes regressions.
The reason is that the kind of entities which require FIPS 140 probably
also tend to require corporate vendor support, which we do not provide.

If building a package with NSS instead of other libraries does not
causes relevant negative side effects then I think we should do it to
benefit from the improvements which NSS is receiving and to help the
process.

--
ciao,
Marco
 
Old 04-26-2011, 06:16 PM
Bastien ROUCARIES
 
Default Crypto consolidation in debian ?

On Tue, Apr 26, 2011 at 7:20 PM, Marco d'Itri <md@linux.it> wrote:
> On Apr 26, Bastien ROUCARIES <roucaries.bastien@gmail.com> wrote:
>
>> I have seen that fedora is trying to consolidate the number of crypto
>> package shipped [1]. What do you think about this goal ?
> While I believe it to be a worthwhile goal, I have serious doubts that
> we should actively switch packages to NSS when this causes regressions.

Yes main drawback is lack of compression support (see [3]) but it
could be improved

> The reason is that the kind of entities which require FIPS 140 probably
> also tend to require corporate vendor support, which we do not provide.

Even if we do not support corporate, being FIPS 140 is worthwhile from
a security point of view: vendors what care about will provide quick
security fix.
Moreover from a marketing point of view it will be also nice.

> If building a package with NSS instead of other libraries does not
> causes relevant negative side effects then I think we should do it to
> benefit from the improvements which NSS is receiving and to help the
> process.

It will moreover reduce the license mess of openssl... And it is by
itself a worthwhile goal.

Bastien

[3] http://fedoraproject.org/wiki/Nss_compat_ossl

> --
> ciao,
> Marco
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTimNyLsfO-FMw6v3RnH4CVh6Jge90g@mail.gmail.com">http://lists.debian.org/BANLkTimNyLsfO-FMw6v3RnH4CVh6Jge90g@mail.gmail.com
 
Old 04-26-2011, 11:05 PM
Russ Allbery
 
Default Crypto consolidation in debian ?

Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:

> I have seen that fedora is trying to consolidate the number of crypto
> package shipped [1]. What do you think about this goal ?

Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste of time to me. If I were going to port to any
other crypto library, I'd port to gcrypto, not NSS.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87liywlikq.fsf@windlord.stanford.edu">http://lists.debian.org/87liywlikq.fsf@windlord.stanford.edu
 
Old 04-27-2011, 08:04 AM
Bastian Blank
 
Default Crypto consolidation in debian ?

On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
> The reason is that the kind of entities which require FIPS 140 probably
> also tend to require corporate vendor support, which we do not provide.

What is FIPS 140 and why is this important?

> If building a package with NSS instead of other libraries does not
> causes relevant negative side effects then I think we should do it to
> benefit from the improvements which NSS is receiving and to help the
> process.

No support for /etc/ssl?

Bastian

--
It is more rational to sacrifice one life than six.
-- Spock, "The Galileo Seven", stardate 2822.3


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110427080414.GA783@wavehammer.waldi.eu.org">http ://lists.debian.org/20110427080414.GA783@wavehammer.waldi.eu.org
 
Old 04-27-2011, 08:25 AM
 
Default Crypto consolidation in debian ?

On Apr 27, Bastian Blank <waldi@debian.org> wrote:

> On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
> > The reason is that the kind of entities which require FIPS 140 probably
> > also tend to require corporate vendor support, which we do not provide.
> What is FIPS 140 and why is this important?
It is a certification required by USG and many financial customers.

> > If building a package with NSS instead of other libraries does not
> > causes relevant negative side effects then I think we should do it to
> > benefit from the improvements which NSS is receiving and to help the
> > process.
> No support for /etc/ssl?
NSS uses a different method to store certificates, but I do not think
that this is a serious problem.

--
ciao,
Marco
 
Old 04-27-2011, 08:29 AM
Mike Hommey
 
Default Crypto consolidation in debian ?

On Wed, Apr 27, 2011 at 10:25:30AM +0200, Marco d'Itri wrote:
> On Apr 27, Bastian Blank <waldi@debian.org> wrote:
>
> > On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
> > > The reason is that the kind of entities which require FIPS 140 probably
> > > also tend to require corporate vendor support, which we do not provide.
> > What is FIPS 140 and why is this important?
> It is a certification required by USG and many financial customers.
>
> > > If building a package with NSS instead of other libraries does not
> > > causes relevant negative side effects then I think we should do it to
> > > benefit from the improvements which NSS is receiving and to help the
> > > process.
> > No support for /etc/ssl?
> NSS uses a different method to store certificates, but I do not think
> that this is a serious problem.

Fedora supposedly is working on a pkcs#11 module to read from /etc/ssl.

Mike


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110427082937.GA10124@glandium.org">http://lists.debian.org/20110427082937.GA10124@glandium.org
 
Old 04-27-2011, 09:40 AM
Bastien ROUCARIES
 
Default Crypto consolidation in debian ?

On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery <rra@debian.org> wrote:
> Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
>
>> I have seen that fedora is trying to consolidate the number of crypto
>> package shipped [1]. What do you think about this goal ?
>
> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> bother. *Seems like a waste of time to me. *If I were going to port to any
> other crypto library, I'd port to gcrypto, not NSS.

Gcrypto is GPL and thus incompatible with a lot of crypto package
unfortunatly. Not good for consolidation
>
> --
> Russ Allbery (rra@debian.org) * * * * * * * <http://www.eyrie.org/~eagle/>
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/87liywlikq.fsf@windlord.stanford.edu
>
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTimi4nF2yCo1iWNZ2GTJdqfWJ5kH5Q@mail.gmail.com ">http://lists.debian.org/BANLkTimi4nF2yCo1iWNZ2GTJdqfWJ5kH5Q@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 07:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org