3:42 p.m.
Following is the list of topics that will be discussed in the FPC
meeting Thursday at 2014-08-21 16:00 UTC in #fedora-meeting-1 on
irc.freenode.net.
Local time information (via. rktime):
2014-08-28 09:00 Thu US/Pacific PDT
2014-08-28 12:00 Thu US/Eastern EDT
2014-08-28 16:00 Thu UTC <-
2014-08-28 17:00 Thu Europe/London BST
2014-08-28 18:00 Thu Europe/Paris CEST
2014-08-28 18:00 Thu Europe/Berlin CEST
2014-08-28 21:30 Thu Asia/Calcutta IST
------------------new day----------------------
2014-08-29 00:00 Fri Asia/Singapore SGT
2014-08-29 00:00 Fri Asia/Hong_Kong HKT
2014-08-29 01:00 Fri Asia/Tokyo JST
2014-08-29 02:00 Fri Australia/Brisbane EST
Links to all tickets below can be found at:
https://fedorahosted.org/fpc/report/12
= Followups =
(approval and retirement sections already passed, /opt exception passed,
basename passed)
#topic #339 software collections in Fedora
.fpc 339
https://fedorahosted.org/fpc/ticket/339
(comment #16 is the current winner)
#topic #341 How to replace "docker" package with an entirely
different package of the same name?
.fpc 341
https://fedorahosted.org/fpc/ticket/341
#topic #382 Go Packaging Guidelines Draft
.fpc 382
https://fedorahosted.org/fpc/ticket/382
(more votes needed, or defer to FESCO?)
#topic #444 Officially recommend to releng that SCLs be placed in
separate packages rather than separate branches in git
.fpc 444
https://fedorahosted.org/fpc/ticket/444
= New business =
#topic #447 Bundling exception for axmail
.fpc 447
https://fedorahosted.org/fpc/ticket/447
#topic #448 Copylib exception for fastlz
.fpc 448
https://fedorahosted.org/fpc/ticket/448
#topic #450 Temporary jsquery packing exception for kimchi
.fpc 450
https://fedorahosted.org/fpc/ticket/450
#topic #452 Crypto policies packaging guideline
.fpc 452
https://fedorahosted.org/fpc/ticket/452
#topic #453 Changes/SystemdSysusers updates for
Packaging:UsersAndGroups
.fpc 453
https://fedorahosted.org/fpc/ticket/453
= Open Floor =
For more complete details, please visit each individual ticket. The
report of the agenda items can be found at:
https://fedorahosted.org/fpc/report/12
If you would like to add something to this agenda, you can reply to
this e-mail, file a new ticket at https://fedorahosted.org/fpc,
e-mail me directly, or bring it up at the end of the meeting, during
the open floor topic. Note that added topics may be deferred until
the following meeting.
1:55 a.m.
New subject: Crypto policies packaging guideline
Dne 27.8.2014 22:42, James Antill napsal(a):
#topic #452 Crypto policies packaging guideline
.fpc 452
https://fedorahosted.org/fpc/ticket/452
Looking into this topic and the proposed guidelines [1], I am not sure
how to apply them for Ruby.
On the first look, looking for SSL_CTX_set_cipher_list, it is called at
[2]. It looks like some helper method, which in Ruby translates into
#ciphers= method, which does not appear to be used anywhere.
Nevertheless, if you look better, you can discover, that it is actually
called at [4] and fed by some defaults [5]. This is not directly obvious.
This raises several questions:
1) Will I (as a hobbyist packager) be able to reach the proper
conclusion, e.g. find the real place where these defaults are set, such
as [4, 5]?
2) What about dynamic languages, such as Ruby, Python etc. They are not
covered by the guidelines at all.
3) Should I really rewrite the upstream defaults and how? What will be
the impact on other libraries written in Ruby? Not mentioning that there
was quite lengthy controversial discussion upstream [6] and you ask me
again to override its results.
Don't take me wrong, I support this effort. It just looks to have lot of
blind spots.
Vít
[1] https://fedoraproject.org/wiki/User:Nmav/CryptoPolicies
[2] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ssl.c#L904
[3] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ssl.c#L2113
[4]
https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L86
[5]
https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L26
[6]
https://github.com/ruby/ruby/commit/699b209cf8cf11809620e12985ad33ae33b119ee
2:29 a.m.
New subject: Crypto policies packaging guideline
On 08/28/2014 08:55 AM, Vít Ondruch wrote:
Dne 27.8.2014 22:42, James Antill napsal(a):
> #topic #452 Crypto policies packaging guideline
> .fpc 452
> https://fedorahosted.org/fpc/ticket/452
Looking into this topic and the proposed guidelines [1], I am not sure
how to apply them for Ruby.
FPC discussed proposal briefly this during the meeting 2 weeks ago.
AFAIR, we felt this proposal is beyond your knowledge and we feared this
proposal to be inapplicable.
IMHO, we need a crypto-expert or team to formally review this proposal,
to identify packages it affects and to advise packagers and upstreams on
how to implement this, because I feel this proposal is way beyond the
scope of skill/knowledge of an average packager.
That, said, I am not sure, this proposal should be made part of the FPG,
but needs some kind of special treatment.
Don't take me wrong, I support this effort. It just looks to have
lot of
blind spots.
ACK.
Ralf
10:19 a.m.
New subject: Crypto policies packaging guideline
----- Original Message -----
IMHO, we need a crypto-expert or team to formally review this
proposal,
Nikos, who proposed this, is a crypto expert :)
to identify packages it affects and to advise packagers and upstreams
on
how to implement this, because I feel this proposal is way beyond the
scope of skill/knowledge of an average packager.
The guidelines can and probably should be expanded to be more directly applicable to other
languages, but IMHO making such a change in a package’s primary implementation language
very much _needs_ to be within the scope of the skill expected of an average packager.
Mirek
10:17 a.m.
New subject: Crypto policies packaging guideline
Hello,
(resurrecting an really old thread, sorry about the delay.)
----- Original Message -----
1) Will I (as a hobbyist packager) be able to reach the proper
conclusion, e.g. find the real place where these defaults are set, such
as [4, 5]?
If you, as the package maintainer, who knows the package, can’t do this, who can? The
security experts can grep for SSL_CTX_set_cipher_list as well as anybody, but following
through the call chain and multiple langauges does require package-specific expertise. A
distribution is supposed to be a set of software customized to work well together, and
yes, that necessarily means understanding the source code and being able to change it. We
_need_ to be able to do such things with Fedora’s packages; perhaps we haven’t been asking
packagers for this much recently, but we need to start, and this is as good a reason to
start as any.
2) What about dynamic languages, such as Ruby, Python etc. They are
not
covered by the guidelines at all.
Yes, it would be good to expand the guideline to
cover the bindings of the major languages.
3) Should I really rewrite the upstream defaults and how? What will
be
the impact on other libraries written in Ruby? Not mentioning that there
was quite lengthy controversial discussion upstream [6] and you ask me
again to override its results.
By my uninformed estimation, the vast majority of TLS using projects either don’t have an
explicit configuration (i.e. there is nothing to be done), or are not carefully
maintaining the cipher list, unlike this recent Ruby change; and even projects that have
recently updated it are not automatically guaranteed to keep maintaining it in the
future.
Libraries written in Ruby _should_ in general inherit the system-wide defaults, though,
yes, this may in very rare cases result in additional patching of these libraries if they
are connecting to specific services that are less secure and need custom configuration.
(It might be interesting to compare the Ruby defaults list and the current version of the
PROFILE=SYSTEM list.)
Mirek
3490
days inactive
3523
days old
4 comments
4 participants
participants (4)
-
James Antill -
Miloslav Trmač -
Ralf Corsepius -
Vít Ondruch