https://bugzilla.redhat.com/show_bug.cgi?id=2394931
--- Comment #23 from Carlos Rodriguez-Fernandez <[email protected]> --- (In reply to Simo Sorce from comment #22) > Carlos, > please do not try to put words in my mouth in some attempt to win an > argument on the internet. Please, do not make this personal and start thinking evil of my intentions. Let's keep the conversation technical. If I misquoted something from you that I didn't do correctly, feel free to correct it clarifying you didn't say so that way, which then will help me understand your point of view and concerns. > Fedora ships 3 different TLS libraries that are curated and tested > rigorously (partly by way of inclusion in RHEL), and it is an integrated > system that should work coherently as a whole. Is botan, and botan2 included in that TLS list? Those libraries are in Fedora already, and in all main distros, including now botan3 as well. > A distribution is not just a > kitchen sink where anything goes and curating 3 different stacks is already > a lot, ideally we should reduce that further. That's an extreme I am not advocating here, but again, as far as I can see from evidences in Fedora itself, there is no problem in including alternative libraries to thing when it is useful for other apps and for our users as long as follows the packaging guidelines. The Crypto documentation [1], as written right today, wouldn't ban botan3 from Fedora Linux. If so, could you please provide the interpretation of the documentation portion that would grant so? > Cryptography libraries, unlike other tools, are vital to maintain the > privacy and security of our users, therefore any inclusion of cryptographic > libraries in Fedora receives extra scrutiny. It is the reason why there is > this extra review from the Crypto Team when such a library is proposed. Upstream don't just choose libs based on whether they area available in Fedora Linux. If a lib is not, the only struggle will go to the packager who will need to do some hacking specific to Fedora Linux because every major distro already ships or is working on shipping botan3. I understand the need for a process, and the policies, and such, but I don't think the Crypto Policies as written today, would ban botan3, and if so I would love to learn how. > > Fedora maintains approved rules about integration with the system in terms > of supporting crypto-policies and properly using the system certificate > store for which we do not have clear answers yet wrt botan (any version). > I care for the quality of what we ship, especially around security and > privacy features, which is why I take these reviews seriously. We all share the care, and I understand that, but please keep in mind that RedHat is not Fedora. RedHat can exclude botan3 from their distro. [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_new_crypto_libraries -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component https://bugzilla.redhat.com/show_bug.cgi?id=2394931 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202394931%23c23 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
