#785 Crypto policies packaging guideline update
Closed: accepted 3 years ago Opened 3 years ago by nmav.

Currently the text at:
https://fedoraproject.org/wiki/Packaging:CryptoPolicies
does not reflect reality in Fedora.

I propose changing the paragraph:
"Since Fedora 21 (Changes/CryptoPolicy) there are policies for the usage of SSL and TLS cryptographic protocols that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to applications using GnuTLS and OpenSSL, and rpmlint will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the Fedora security team. "

To:
"Since Fedora 21 (Changes/CryptoPolicy) there are policies for the usage of cryptographic protocols such as TLS that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to major libraries such as GnuTLS, OpenSSL, NSS, libkrb5, languages such as Java and major applications like OpenSSH and bind. The rpmlint tool will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the Fedora security team. "

Additionally, I propose including a new paragraph:

New crypto libraries

New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by FeSCO (or packaging committee), after consulting with Fedora security team.


libkrb5, OpenSSH and bind

This somewhat doesn't fit in the crypto libraries story, probably you could rephrase it a bit?

Hi,
Not sure I understand the request 100%. The sentence is not restricted to libraries, it lists first the libraries, then languages and then major applications.
"Currently the policies are restricted to applications using major libraries such as GnuTLS, OpenSSL, NSS, libkrb5, languages such as Java and major applications like OpenSSH and bind"

If that's not clear maybe something simpler like:
"Currently the policies apply to major libraries, languages and applications."

Then it could link or contain a table such as:
https://fedoraproject.org/wiki/User:Nmav/FedoraCryptoPolicies
(a link may be better, as it could point to an editable by anyone page, so new packages/components added to the policy don't need to go through packaging-committee)

@nmav can you copy existing guidelines page, edit it and show diff so that we could vote on?

```
--- a 2018-07-27 11:28:53.481341395 +0200
+++ b 2018-07-27 11:30:06.095581292 +0200
@@ -1,6 +1,9 @@
== Enforcing system crypto policies ==
-Since Fedora 21 ([[Changes/CryptoPolicy]]) there are policies for the usage of SSL and TLS cryptographic protocols that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to applications using GnuTLS and OpenSSL,
-and rpmlint will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the [https://lists.fedoraproject.org/mailman/listinfo/security Fedora security team].
+Since Fedora 21 (Changes/CryptoPolicy) there are policies for the usage of cryptographic protocols such as TLS that are enforced system-wide. Each application being added in Fedora must be checked to comply with the policies. Currently the policies are restricted to major libraries such as GnuTLS, OpenSSL, NSS, libkrb5, languages such as Java and major applications like OpenSSH and bind.
+The rpmlint tool will warn when it detects that some action has to be taken; that detection is based on heuristics and limited to C programs, so manual inspection is recommended. Note however, that there are applications which intentionally set weaker, or custom settings on a purpose (e.g., postfix); those need not adhere to the policy. When in doubt, discuss with the Fedora security team.
+
+=== New crypto libraries ===
+New crypto libraries must comply with the crypto policies to enter Fedora, unless an exception has been granted by Fedora packaging committee, after consulting with Fedora security team.

=== C/C++ applications ===
```

Obviously that diff isn't what @ignatenkobrain was looking for. We ask you to copy the page in the wiki and edit there for a reason.

I made a useful diff here: https://fedoraproject.org/w/index.php?title=User%3ATibbs%2FCryptoPolicyDraft&type=revision&diff=523726&oldid=523722

Personally I think this makes sense, though I don't see why the mention of Fedora 21 is useful. Additionally I would change "Since Fedora 21 (link)" to "In Fedora": https://fedoraproject.org/w/index.php?title=User%3ATibbs%2FCryptoPolicyDraft&type=revision&diff=523727&oldid=523726

In any case, this seems reasonable once the actual changes are made visible. +1 from me.

Metadata Update from @tibbs:
- Issue tagged with: hasdraft, meeting

3 years ago

+1 to what @tibbs said (change "Since Fedora 21 (link)" to "In Fedora")

From this weeks log ( https://meetbot-raw.fedoraproject.org/fedora-meeting-1/2018-08-23/fpc.2018-08-23-16.00.txt):

  • #785 Crypto policies packaging guideline update (geppetto, 16:08:13)
  • Crypto policies packaging guideline update (+1:4, 0:0, -1:0)
    (geppetto, 16:23:03)
  • ACTION: Everyone/someone else can vote in the ticket (geppetto,
    16:23:24)

+1 from me too (including the "In Fedora" suggestion).

If my vote is still needed, +1 from me too, since I trust you to do The Right Thing :tm: after discussing it at the meeting today.

Metadata Update from @james:
- Issue untagged with: meeting
- Issue assigned to tibbs
- Issue tagged with: writeup

3 years ago

Announcement text:

Small cleanups were made to the crypto policies guidelines to modernize them a bit, and a new section was added requiring that newly added crypto libraries must comply with existing crypto policies.

Metadata Update from @tibbs:
- Issue untagged with: hasdraft, writeup
- Issue tagged with: announce

3 years ago

Metadata Update from @tibbs:
- Issue untagged with: announce
- Issue close_status updated to: accepted
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata