On Wed, Feb 21, 2018 at 07:36:08AM -0800, Dan Kegel wrote: > On Tue, Feb 20, 2018 at 10:16 PM, Ben McGinnes <b...@adversary.org> wrote: >> >> Because these two lines explain *precisely* why you need something >> like RHEL or CentOS (certified systems to go with the auditing) >> *and* updated crypto. > > And when you're on those certified, curated systems, you have > access to tools like > https://www.open-scap.org/resources/documentation/make-a-rhel7-server-compliant-with-pci-dss/ > to help make sure you're in compliance, I think. > > I suspect that kind of approach would make passing audits a lot > easier than building the latest gnupg release yourself... > and is less likely to break things.
In all likelihood, yes ... however open-scap.org is a RedHat service and most likely only supplied to RHEL customers seeking PCI-DSS compliance along with direct support via their service contract. If, however, this particular case actually deals with CentOS systems and not RHEL, then the OP has elected to forego that type of professional service contract from the vendor in order to do it themselves. Which brings us either back to this thread, or a business decision at their end regarding whether or not bring their systems back to RHEL (it requires changing two files, IIRC, assuming they haven't massively modified things) and paying RedHat whatever it takes to get the job done. I cannot predict which they will choose, nor am I willing to make a recommendation solely on what's been presented here. Still, the OP wanted options and now they've been provided. :) Regards, Ben
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users