Re: libgcrypt20 delta now dropped
On Tue, Jan 16, 2024 at 07:52:18AM -0800, Steve Langasek wrote: > On Tue, Jan 16, 2024 at 12:38:51PM +0100, Julian Andres Klode wrote: > > Just to point out I synced libgcrypt20 from Debian now, which > > drops the delta that enables FIPS mode that we had in past relases > > where libgcrypt20 was not FIPS-enabled. > > > > This was preceeded by a long internal discussion and we've come > > to the conclusion this patch is no longer needed. > > > > Notably, if you really enable FIPS, nothing changes: You get a > > certified libgcrypt20 from a PPA anyway. > > > If you enable FIPS flag in the kernel without using the FIPS PPA, > > for example, by running in a container on a FIPS host, you > > libgcrypt20 will now operate in FIPS mode, which may cause > > behavioral changes. > > Sorry, was this a typo and you meant to say "not operate" rather than "now > operate"? > > If the delta we were carrying was to enable FIPS mode, and we are dropping > the patch, it would seem to have the opposite effect to what you've written. Sorry, the delta was to *disable* FIPS mode. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: libgcrypt20 delta now dropped
On Tue, Jan 16, 2024 at 12:38:51PM +0100, Julian Andres Klode wrote: > Just to point out I synced libgcrypt20 from Debian now, which > drops the delta that enables FIPS mode that we had in past relases > where libgcrypt20 was not FIPS-enabled. > > This was preceeded by a long internal discussion and we've come > to the conclusion this patch is no longer needed. > > Notably, if you really enable FIPS, nothing changes: You get a > certified libgcrypt20 from a PPA anyway. > If you enable FIPS flag in the kernel without using the FIPS PPA, > for example, by running in a container on a FIPS host, you > libgcrypt20 will now operate in FIPS mode, which may cause > behavioral changes. Sorry, was this a typo and you meant to say "not operate" rather than "now operate"? If the delta we were carrying was to enable FIPS mode, and we are dropping the patch, it would seem to have the opposite effect to what you've written. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
libgcrypt20 delta now dropped
Just to point out I synced libgcrypt20 from Debian now, which drops the delta that enables FIPS mode that we had in past relases where libgcrypt20 was not FIPS-enabled. This was preceeded by a long internal discussion and we've come to the conclusion this patch is no longer needed. Notably, if you really enable FIPS, nothing changes: You get a certified libgcrypt20 from a PPA anyway. If you enable FIPS flag in the kernel without using the FIPS PPA, for example, by running in a container on a FIPS host, you libgcrypt20 will now operate in FIPS mode, which may cause behavioral changes. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
