> Given we are targeting Rails 5.1 for the SCL we are building and it's the > newest, does anything change here with using it? >
The approach stays the same, I think. My bet would be the problems stay the same too (i.e. use of MD5 in caches). > I have heard that the teams that work on those backend projects we use > are/have looked into FIPS compliancy so we don't need to worry about that > aspect. > > Sounds like we still need to look at the installer to ensure Kafo, Puppet > and the Puppet modules are all FIPS compliant? > Yes, although I'd imagine puppet itself is going to be ok, as long as FIPS-compatible hash function is configured. Puppet modules have issues, for example dhcpd and bind puppet modules might use MD5s, as those dependencies are configured with MD5-based shared secrets. I suppose we could tests for this? For example, if a user provides custom > SSL certificates for the web server we could run a check and warn a user? > Before a certificate is installed, yes. Might get involved though (as most things tend to when it comes to SSL/TLS and certificates). > Is it possible to detect that a system is running in FIPS mode to only > warn in that case? > Yes, it is possible to detect that a system is running in FIPS mode. > > How often do you see this CI job running? And I assume this would be > temporary until we are fully FIPS compliant? > A few times a day at first -- to help resolve w/e issues we currently have. After that -- w/e pattern/schedule we currently have or plan to have, in other words, we run *all* CI in FIPS mode. cheers, -d -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.