#3267 wolfssl imported to Fedora after skipping MUST policy requirements for new crypto libraries
Closed: Accepted 2 months ago by decathorpe. Opened 2 months ago by decathorpe.

There is a MUST guideline for new crypto libraries in Fedora:

New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team.

https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/#_new_crypto_libraries

Admittedly, the "security team" is defunct, and is more-or-less replaced with the #security channel on our Matrix server.

However, It is clear that the library does not follow system-wide crypto policies, and it has apparently not undergone legal review (whether all crypto implementations in it are allowed to be shipped by Fedora).

No exception was granted for this package by the packaging committee.

This has also been discussed on the devel mailing list:

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/O75PAO57RDA4WGQMLB7CVY3PMHK5Y5RJ/

Despite noting this requirement on the package review ticket, the maintainer proceeded with importing the package.

https://bugzilla.redhat.com/show_bug.cgi?id=2302646#c11 (and follow-up comments)

The reviewer of the package (not the submitter) has now filed an FPC request to approve the package despite the non-compliance with crypto-policy rules: https://pagure.io/packaging-committee/issue/1390

But the package is already in stable Fedora repositories.


I just spoke with the crypto-policies maintainer and other members of the Red Hat security folks. Their opinion is that WolfSSL should not be permitted in Fedora without honoring crypto-policies.

Proposal: WolfSSL is immediately retired from Fedora. The maintainers may file a new package review request when WolfSSL respects the crypto system policy. This review request will not be considered approved without review by at least one member of the crypto team.

Actually, let me amend that proposal slightly:

Proposal: WolfSSL is immediately retired from Fedora. The maintainers may file a new package review request when WolfSSL respects the crypto system policy. This review request must be presented to the FPC, who must approve it before it is added back to the repositories.

The FPC can put whatever constraints they deem fit for inclusion.

FWIW given the disordered state of the security team, I think this is a FESCo matter.

Also, incidentally... if anyone from FESCo wants to help interested people reorganize and re-formalize the security team, that would be awesome.

Worryingly, https://bugzilla.redhat.com/show_bug.cgi?id=2302646#c13 from the package maintainer is flat out mischaracterizing what happened in that security room discussion.

"Fedora Security gave the recommendation to build with AES-NI, which has been done."

The advice was given by someone who is /not/ a packager and at least two members of FESCo, me and @ngompa stepped in and raised concern - because WolfSSL does not have the ability to only use AES-NI on systems that support it and fall back to something else. We specifically at-mentioned the packager to make sure they understand the concern, but it appears they stopped reading as soon as someone who sounded authoritative gave them what they want

Comment 12 also sounds really worrying in that the maintainer is ignoring advice and just going ahead full speed. And comment 9 for the review itself is also... worrying. So many things to unpack.

Also, incidentally... if anyone from FESCo wants to help interested people reorganize and re-formalize the security team, that would be awesome.

I've sort of semi-officially been sounding out the frequent posters in that Matrix room about improving things, so I guess I can help here as soon as I'm back from vacation on the 13th (I'll be traveling to a conference after that, but this sounds like the perfect thing to organize during a conference anyway since I won't be working on projects)

Comment 12 also sounds really worrying in that the maintainer is ignoring advice and just going ahead full speed. And comment 9 for the review itself is also... worrying. So many things to unpack.

I am so sorry to cause the trouble without digging into the crypto policies.

Guys - I am not intentionally mischaracterizing what happened. I will fully admit I am largely ignorant of exactly what process needed to take place, which is why I asked for help in the first place. Just finding who to talk to was a challenge, and when I thought I found the right person in the matrix room, I thought I was in the clear. This all happened on the eve of me leaving town, so I quickly pushed new packages before I left.

I apologize if there was any followup conversation in the matrix room, as I did not see it.

There has been no conspiracy, to try and skip any part of the approval process.

Moving forward, can someone propose exactly what needs to be done?

I just spoke with the crypto-policies maintainer and other members of the Red Hat security folks. Their opinion is that WolfSSL should not be permitted in Fedora without honoring crypto-policies.

Proposal: WolfSSL is immediately retired from Fedora. The maintainers may file a new package review request when WolfSSL respects the crypto system policy. This review request will not be considered approved without review by at least one member of the crypto team.

Understood.

Would you please define exactly how to contact the crypto and/or FPC team?

We got ourselves to this point because the Fedora crypto documentation is no longer accurate on who to contact.

The crypto policies maintainer can be reached via crypto-policies-maintainers@fedoraproject.org and the Fedora Packaging Committee uses packaging@lists.fedoraproject.org or their issue tracker.

The crypto policies maintainer can be reached via crypto-policies-maintainers@fedoraproject.org and the Fedora Packaging Committee uses packaging@lists.fedoraproject.org or their issue tracker.

Thank you.

Tagging this for today's meeting since we have a proposal but nobody voted on it.

Metadata Update from @decathorpe:
- Issue tagged with: meeting

2 months ago

The package was retired on all branches. It will take a few hours and a compose until it is fully removed.

To close the loop: This was discussed and voted on during today's FESCo meeting.

AGREED: WolfSSL is immediately retired from Fedora. The maintainers may file a new package review request when WolfSSL respects the crypto system policy. This review request must be presented to the FPC, who must approve it before it is added back to the repositories. (+5, 0, -0)

Metadata Update from @decathorpe:
- Issue close_status updated to: Accepted
- Issue status updated to: Closed (was: Open)

2 months ago

Log in to comment on this ticket.

Metadata