Quoting Kevin Kofler via devel (2022-06-30 14:15:04) > You are making two doubtful assumptions: > > 1. That the users will bother reporting their issues to the server > administrators at all. I would expect them to just blame Fedora for it and > move to a different operating system that just works, or at most to apply a > local workaround (what I called "jump through hoops", e.g., changing the > system crypto policy to LEGACY and/or loading the legacy provider with its > legacy algorithms into OpenSSL) and then forget about it.
> 2. That the server administrators will actually care about complaints from > non-Windows users, assuming they even read user complaints at all to begin > with, and that they will be willing to switch to newer (more secure) > algorithms that may break compatibility with some ancient operating systems > that other users might still use. I agree with your statements but I do not make the assumptions you prescribe to me. I'm painfully aware that progress doesn't happen magically when we break something in Fedora. Hoops are a horrible propellant of progress, but still the best one we have. > I do not believe that Fedora actually has any levy to get server > administrators to upgrade their setups. > We have to work with whatever obsolete junk is out there. Is Fedora supposed to be a locomotive of secure defaults? In an attempt to slow down devolving into opinion-vs-opinion, let me back mine with https://docs.fedoraproject.org/en-US/project: > Four Foundations: First > > We are committed to innovation. > > We are not content to let others do all the heavy lifting on our behalf; > we provide the latest in stable and robust, useful, > and powerful free software in our Fedora distribution. > > At any point in time, the latest Fedora platform > shows the future direction of the operating system > as it is experienced by everyone from the home desktop user > to the enterprise business customer. > Our rapid release cycle > is a major enabling factor in our ability to innovate. > > We recognize that there is also a place for long-term stability in the > Linux ecosystem, and that there are a variety of community-oriented > and business-oriented Linux distributions available to serve that need. > However, the Fedora Project’s goal of advancing free software dictates > that the Fedora Project itself pursue a strategy > that preserves the forward momentum of our technical, > collateral, and community-building progress. > Fedora always aims to provide the future, first. In terms of cryptographic defaults, Fedora even lags behind RHEL, so requests to slow down even further don't elicit much support from me. If one day this page replaces "First" with, say, "Compatibility: we have to work with whatever obsolete junk is out there, security comes second", I will concede. But today, I think the current pace of deprecations *in the default configuration* doesn't just align with Fedora's goals, it's slower than it should be. Non-default configurations are a different beast altogether, and the users' feet-shooting freedom is something we should defend, yes. But the defaults have to march on unabated. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
