Am 11.06.24 um 16:09 schrieb Dmitry Belyavskiy:
Dear colleagues,
Let me try to summarize the pros and cons of this discussion.
Our intention is making the software and its settings as secure as
possible by default. That's why we have crypto policies.
The proposed change is aligned with the setting we have implemented in
RHEL9 for 2-3 years, and there were only several use cases affected by
this tightening, mostly SSH.
I understand that not all old systems are upgradeable (though many of
them can be turned to smth using better algorithms - e.g. EC SSH keys
are available on RHEL 7).
So for these use cases we would like to propose either use runcp utility
(which doesn't undermine the default settings) or, worst case, use a
jump container. Any of this solution doesn't undermine the whole
system's security.
toolbox is a nice helper for such cases ...
I believe that now we could move this change forward, having a
workaround for some use cases, probing to detect the legacy algorithm
when it was missing, and higher security standards.
--
Leon
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
