On Wed, Apr 16, 2014 at 10:15 AM, Артур Истомин <[email protected]> wrote:
> On Tue, Apr 15, 2014 at 03:34:36PM -0600, Theo de Raadt wrote: > > >Log message: > > >Remove the GOST engine: It is not compiled or used and depends on the > > >"dynamic engine" feature that is not enabled in our build. People who > > >need it can still pull it out of the Attic; if it is to have a Russian > > >engine just because it's a Russian engine. > > >---------------------------------------------------------------------- > > > > > >This hash function is a formal requirement in all public institutions in > > >Russia. Removing it, the work of people using OpenBSD in these > > >institutions is greatly complicated by its return. > > > > First off, this library primary function is to supply two major > > components for use by people: > > > > SSL protocol > > raw symmetric & assymetric crypto functions > > > > Meeting the "requirements of public institutions" is pretty low on the > > list right about now. Quite frankly, I do not want my own government > > using OpenSSL for anything. As it is now, it is not suitable. > > > > >This is a political decision, or indeed it is necessary for the cleaning > > >OpenSSL? Do not throw out the child along with the bath. > > > > Dynamic loading of crypto libraries into a framework is not > > acceptable. Furthermore, if you dig just a bit deeper, you will > > quickly realize that this code has not worked in our tree before. It > > was not enabled. It did not work. > > > > In the interests of full disclosure, do you work for the government or > > sell to the government? > > I'm not sure what it means "to work for the government" in terms of the > English language. I am now in the process of transfer to the > IT-department of city hall of small town in the geographical center of > Russia. In the area of my responsibility will be the network > infrastructure of city hall. This is "work for the government"? > > I assumed that, for establishment GOST, it is enough to recompile > OpenSSL in source tree and install it. Situation worsens in that it is > the only implementation of GOST, so that there are no alternatives for > unix and unix-like systems. > > Yet your words as the words of Bob and Reyk, given your competence in > this area, sound convincing. If it makes the system more secure, it is > a sensible move. I am glad that there is no politics. > Well mostly no politics here in a sense you thought initially (and not everyone behind your borders think that "*" we can see in our media is true). OpenBSD is just trying to fix crap created by outside company http://undeadly.org/cgi?action=article&sid=20140415093252&mode=expanded&count=8and well on the way things are removed which doesn't make any sense or were used in the past or are supposed to not be used. From this point of view it's maybe better to try to convince local authority where you will be doing some work in IT area to use something really newer and better. I know it can be nearly impossible, but it is worth of the try. Of course don''t know how much is GOST used in Russia and why (historical reasons, whatever).
