On Wed, Nov 7, 2018 at 7:30 AM Doug Hellmann <d...@doughellmann.com> wrote: > > Joshua Cornutt <jcorn...@gmail.com> writes: > > > Doug, > > > > I have such a list put together (my various installation documents for > > getting these clouds working in FIPS mode) but it's hardly ready for > > public consumption. I planned on releasing each bit as a code change > > and/or bug ticket and letting the community consume it as it figures > > some of these things out. > > It's likely that the overall migration will go better if we all have the > full context. So I hope you can find some time to publish some of the > information you've compiled to help with that. > > > I agree that some changes may break backwards compatibility (such as > > Glance's image checksumming), but one approach I think could ease the > > transition would be the approach I took for SSH key pair > > fingerprinting (also MD5-based, as is Glance image checksums) found > > here - https://review.openstack.org/#/c/615460/ . This allows > > administrators to choose, hopefully at deployment time, the hashing > > algorithm with the default of being the existing MD5 algorithm. > > That certainly seems like it would provide the most compatibility in the > short term. > > That said, I honestly don't know the best approach for us to take. We're > going to need people who understand the issues around FIPS and the > issues around maintaining backwards-compatibility to work together to > create a recommended approach. Perhaps a few of the folks on this thread > would be interested in forming a team to work on that? > > Doug >
I'd be interested in that. Good idea > > Another approach would be to make the projects "FIPS aware" where we > > choose the hashing algorithm based on the system's FIPS-enforcing > > state. An example of doing so is what I'm proposing for Django > > (another FIPS-related patch that was needed for OSP 13) - > > https://github.com/django/django/pull/10605 > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev