https://bugzilla.redhat.com/show_bug.cgi?id=2394931
--- Comment #24 from Simo Sorce <[email protected]> --- (In reply to Carlos Rodriguez-Fernandez from comment #23) > (In reply to Simo Sorce from comment #22) > > Carlos, > > please do not try to put words in my mouth in some attempt to win an > > argument on the internet. > > Please, do not make this personal and start thinking evil of my intentions. > Let's keep the conversation technical. If I misquoted something from you > that I didn't do correctly, feel free to correct it clarifying you didn't > say so that way, which then will help me understand your point of view and > concerns. > > > Fedora ships 3 different TLS libraries that are curated and tested > > rigorously (partly by way of inclusion in RHEL), and it is an integrated > > system that should work coherently as a whole. > > Is botan, and botan2 included in that TLS list? Those libraries are in > Fedora already, and in all main distros, including now botan3 as well. No, none of the botan libraries is, the three vetted libraries are OpenSSL, GnuTLS and NSS. > > A distribution is not just a > > kitchen sink where anything goes and curating 3 different stacks is already > > a lot, ideally we should reduce that further. > > That's an extreme I am not advocating here, but again, as far as I can see > from evidences in Fedora itself, there is no problem in including > alternative libraries to thing when it is useful for other apps and for our > users as long as follows the packaging guidelines. The Crypto documentation > [1], as written right today, wouldn't ban botan3 from Fedora Linux. If so, > could you please provide the interpretation of the documentation portion > that would grant so? I think you may misunderstand what the crypto policies are. Crypto policies is this: https://packages.fedoraproject.org/pkgs/crypto-policies/crypto-policies/ And were introduced in Fedora 21: https://fedoraproject.org/wiki/Changes/CryptoPolicy Unfortunately your link at [1] seem to have lost clarity on this over time, in any case the meaning of the link is that if you introduce a crypto library package that does not conform to crypto policies you have to ask for an exception by the Fedora Packaging Committee which is informed by the Crypto team on what is acceptable or not, then they can decide any way they want and override the recommendations of the Crypto Team. Botan still does not properly support Crypto Policies therefore at each new package review I will keep objecting on its inclusion in Fedora. I also have sever reservations on the quality of this library and therefore its inclusion as a general use library. My understanding is that librnp is the main driver to include this library in Fedora and that librnp supports using OpenSSL as a backend since version 0.16.0, therefore that library should probably use the OpenSSL backend now and not depend eon botan, which removes one of the main reason to have botan in Fedora at all (librnp is used by Thunderbird, which is the main driver to have rnp at all). > > > Cryptography libraries, unlike other tools, are vital to maintain the > > privacy and security of our users, therefore any inclusion of cryptographic > > libraries in Fedora receives extra scrutiny. It is the reason why there is > > this extra review from the Crypto Team when such a library is proposed. > > Upstream don't just choose libs based on whether they area available in > Fedora Linux. If a lib is not, the only struggle will go to the packager who > will need to do some hacking specific to Fedora Linux because every major > distro already ships or is working on shipping botan3. Upstream projects can do what they think best for them, Fedora is not obliged to include everything every package upstream decides on. Where possible we should choose to use the better integrations in terms of security, and for librnp at this point (assuming feature parity) this should be openssl, not botan. I understand there are a couple of other applications that were added just because botan was let through, this is the slippery slope we do *not* want to encourage, excessive proliferation of crypto library is *not* a good thing, the amount of work needed to maintain cryptography secure is not trivial, the only way to do that at the distribution level is to limit the proliferation to what the Crypto Team can maintain properly. Note that this is not just ensuring upstream CVEs are packaged and released timely, we do a lot more than that for Cryptography. We have conformance testing for TLS, we curate crypto-polcies so that TLS is configured properly for the system and weak algorithms and protocol versions are disabled. We curate the CA certificate store so only vetted CAs are allowed on the system. We test for side-channels, and work with upstream to ensure all side-chanels are plugged. We implement and provide patches upstream to improve the integration with the system. We can't do these activities for an unbounded number of libraries, and most Fedora packagers do not have the skills nor the time to perform them on their own, which is why we try to avoid proliferation of low level cryptography and critical security protocol (TLS/SSH) packages. > > I understand the need for a process, and the policies, and such, but I don't > think the Crypto Policies as written today, would ban botan3, and if so I > would love to learn how. See above, Fedora Policy is that all crypto libraries should, at the very least support crypto-policies, especially libraries that implement TLS. > We all share the care, and I understand that, but please keep in mind that > RedHat is not Fedora. RedHat can exclude botan3 from their distro. It is Red Hat not RedHat and this has nothing to do with Red Hat, it has to do with ensuring libraries that have good maintenance and testing within Fedora in order to maintain the security of the system at a good level. > [1] > https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ > #_new_crypto_libraries -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2394931 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202394931%23c24 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
