On 11.12.20 10:08, Timo Aaltonen wrote:
I noticed that crypto-policies is packaged, but not really used
anywhere. Would it be worthwhile to make it the official way to
configure the system-wide crypto policy as it was implemented in Fedora
[1]? This has been briefly mentioned before at least in bug 765512 [2],
but nothing came out of it. I think it would benefit Debian if support
for crypto-policies was added to packages, and make it a release goal
for Bookworm. Or is it just a matter of JFDI and filing bugs & MR's
against the affected packages?
[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765512
I think it's indeed just a matter of filing bugs & MR's.
On the topic of actually *having* a system wide crypto policy:
(Attention: opinion/point of view coming...): from time to time I wish
having a system wide crypto policy switch. Needing to get aquainted with
nginx' way to configure SSL, then apache's, then postgres', then
dovecot's, then ... is really senseless busywork. It'd be nice if Debian
just kept on updating those automatically to latest best practice and
I'd be done with it. But with that comes *additional* complexity. So now
I have to *additionaly* learn the crypto-policy machine: what happens
when crypto policies get updated? Will it automatically reload the
daemons involved? Or even *restart* those that need it? What happens if
I have a cluster, will the policy update break it (I had this happen
regularily on a cluster on package updates)? How can I override system
wide policies? What's the hierarchy of the chain of different crypto
policy settings if they override or contradict each other etc.?
So I think:
- it's valuable to have a system wide crypto policy
- it's substantially increasing complexity with a yet unknown win
- this actually is a Debian wide policy change so ideally it *should* be
discussed more widely than to creep it slowly in. However:
- optimally nothing will change for anybody if the crypto-policy package
doesn't get installed (wishful thinking)
- ideally the involved people would know about Fedora's experience with
that new infrastructure: did it break working systems (I have a feeling
that Fedora is not a major server OS?)? Did the Fedora users love the
new crypto-policy system? Did the Fedora users hate it? Does it get
installed by default there?
- power to those that do things: just go ahead and we'll see what comes
out and we can iterate to improve the system (wishful thinking + experience)
Thanks for taking the initiative Timo,
*t