Joshua Cornutt <jcorn...@gmail.com> writes: > On Wed, Nov 7, 2018 at 7:30 AM Doug Hellmann <d...@doughellmann.com> wrote: >> >> Joshua Cornutt <jcorn...@gmail.com> writes: >> >> > Doug, >> > >> > I have such a list put together (my various installation documents for >> > getting these clouds working in FIPS mode) but it's hardly ready for >> > public consumption. I planned on releasing each bit as a code change >> > and/or bug ticket and letting the community consume it as it figures >> > some of these things out. >> >> It's likely that the overall migration will go better if we all have the >> full context. So I hope you can find some time to publish some of the >> information you've compiled to help with that. >> >> > I agree that some changes may break backwards compatibility (such as >> > Glance's image checksumming), but one approach I think could ease the >> > transition would be the approach I took for SSH key pair >> > fingerprinting (also MD5-based, as is Glance image checksums) found >> > here - https://review.openstack.org/#/c/615460/ . This allows >> > administrators to choose, hopefully at deployment time, the hashing >> > algorithm with the default of being the existing MD5 algorithm. >> >> That certainly seems like it would provide the most compatibility in the >> short term. >> >> That said, I honestly don't know the best approach for us to take. We're >> going to need people who understand the issues around FIPS and the >> issues around maintaining backwards-compatibility to work together to >> create a recommended approach. Perhaps a few of the folks on this thread >> would be interested in forming a team to work on that? >> >> Doug >> > > I'd be interested in that. Good idea
I added "FIPS compliance" to the list of community goal ideas in https://etherpad.openstack.org/p/community-goals (see number 35, currently at the bottom of the etherpad). Please add more detail there about what exactly is involved, references, etc. -- whatever you think would be useful to someone learning about what this is. > >> > Another approach would be to make the projects "FIPS aware" where we >> > choose the hashing algorithm based on the system's FIPS-enforcing >> > state. An example of doing so is what I'm proposing for Django >> > (another FIPS-related patch that was needed for OSP 13) - >> > https://github.com/django/django/pull/10605 >> > >> > __________________________________________________________________________ >> > OpenStack Development Mailing List (not for usage questions) >> > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Doug __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev