On Thu, Mar 13, 2008 at 10:24:31AM -0700, Robert Relyea wrote:
This may be OK for some types of packages, but crypto has challeges
of it's
own. There are constantly new attacks published against existing crypto
implementations. These attacks are not necessarily 'bugs' in the
implementation, per se (not the same way a stack over flow or an
uninitialized variable is a bug -- even it it's latent), but improvements
in the state of the art of cryptanalysis). Any crypto code without a very
active upstream tracking these issue will very quickly atrophie and become
vulnerable.
Network faced clients and servers have the same security issues. But this
doesn't allow to make oen for all decision regarding maintaining or not
this kind of packages in fedora. The maintainer may be skilled enough
and have enough time to substitute for the upstream. We cannot say it in
advance, and should leave it to the maintainer.
(The export stuff is another issue, a legal issue).
--
Pat