Re: crypto policy for Debian?

To: debian-devel@lists.debian.org
Subject: Re: crypto policy for Debian?
From: Tomas Pospisek <tpo2@sourcepole.ch>
Date: Sat, 12 Dec 2020 11:28:12 +0100
Message-id: <[🔎] 700e90f5-ccab-bbdf-2ce6-6e777bf8167e@sourcepole.ch>
In-reply-to: <[🔎] 9040a27f-afc7-f4f1-87bc-1e388384dd10@debian.org>
References: <[🔎] 9040a27f-afc7-f4f1-87bc-1e388384dd10@debian.org>

On 11.12.20 10:08, Timo Aaltonen wrote:

I noticed that crypto-policies is packaged, but not really usedanywhere. Would it be worthwhile to make it the official way toconfigure the system-wide crypto policy as it was implemented in Fedora[1]? This has been briefly mentioned before at least in bug 765512 [2],but nothing came out of it. I think it would benefit Debian if supportfor crypto-policies was added to packages, and make it a release goalfor Bookworm. Or is it just a matter of JFDI and filing bugs & MR'sagainst the affected packages?
[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765512


I think it's indeed just a matter of filing bugs & MR's.

On the topic of actually *having* a system wide crypto policy:(Attention: opinion/point of view coming...): from time to time I wishhaving a system wide crypto policy switch. Needing to get aquainted withnginx' way to configure SSL, then apache's, then postgres', thendovecot's, then ... is really senseless busywork. It'd be nice if Debianjust kept on updating those automatically to latest best practice andI'd be done with it. But with that comes *additional* complexity. So nowI have to *additionaly* learn the crypto-policy machine: what happenswhen crypto policies get updated? Will it automatically reload thedaemons involved? Or even *restart* those that need it? What happens ifI have a cluster, will the policy update break it (I had this happenregularily on a cluster on package updates)? How can I override systemwide policies? What's the hierarchy of the chain of different cryptopolicy settings if they override or contradict each other etc.?


So I think:
- it's valuable to have a system wide crypto policy
- it's substantially increasing complexity with a yet unknown win

- this actually is a Debian wide policy change so ideally it *should* bediscussed more widely than to creep it slowly in. However:- optimally nothing will change for anybody if the crypto-policy packagedoesn't get installed (wishful thinking)- ideally the involved people would know about Fedora's experience withthat new infrastructure: did it break working systems (I have a feelingthat Fedora is not a major server OS?)? Did the Fedora users love thenew crypto-policy system? Did the Fedora users hate it? Does it getinstalled by default there?- power to those that do things: just go ahead and we'll see what comesout and we can iterate to improve the system (wishful thinking + experience)


Thanks for taking the initiative Timo,
*t

Reply to:

References:
- crypto policy for Debian?
  - From: Timo Aaltonen <tjaalton@debian.org>

Prev by Date: Bug#977175: ITP: node-ist -- Mini assertion library
Next by Date: Re: [External] Re: Intel SOF audio firmware packaging
Previous by thread: crypto policy for Debian?
Next by thread: Bug#977127: ITP: astc-encoder -- ASTC image compression and decompression
Index(es):
- Date
- Thread