On 10/01/2014 03:33 PM, Matthew Miller wrote:
On Wed, Oct 01, 2014 at 08:52:03AM +0300, Jonathan Dieter wrote:
The havege functions in the polarssl package are currently disabled
in the Fedora package. Newer releases of dolphin-emu, which are in
a popular external repository, require these functions.
According to https://bugzilla.redhat.com/show_bug.cgi?id=1069394#c1,
the HAVEGE feature is disabled because it's "controversial" and
"would lead to security problems", but the maintainer hasn't given
any more explanation than that in the bug report.
Is there any way we can get a second opinion on this? The external
Yes there is. Since the objection is potentially security related, it would
be good to get the input of the Fedora Security Team (probably on the
security@ mailing list). Second, having had that conversation, if it still
goes nowhere, file a ticket with FESCo.
Thanks Matthew for the roadmap on this. When doing further research to
try to work out where dolphin-emu was actually using the code, I found
that since dolphin-emu's latest release, they've switched to using
polarssl without the havege functions. I'm hoping we can backport those
commits into the latest release.
So, at this point, I think I'm going to desubmit (is that a word?
unsubmit?) my request for a second opinion and won't be pursuing this
any further. Apologies for any wasted time, and thanks Nikos for
explaining what havege is and why it shouldn't be used in this context.
Jonathan
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
