Announcement

Collapse
No announcement yet.

The First Of The Features Being Proposed For Fedora 23

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • The First Of The Features Being Proposed For Fedora 23

    Phoronix: The First Of The Features Being Proposed For Fedora 23

    With Fedora 22 being well past its change deadline and the final release just being a few weeks out, developers are beginning to look at planning their features/changes for Fedora 23...

    http://www.phoronix.com/scan.php?pag...tarts-Features

  • #2
    Originally posted by phoronix View Post
    Disabling SSL3 & RC4 By Default - They'd be disabling them in the name of security.
    If they care for security, they should switch to LibreSSL.

    Comment


    • #3
      Originally posted by Awesomeness View Post
      If they care for security, they should switch to LibreSSL.
      I don't think so. Fedora/ Red Hat generally favor NSS although they have hired the maintainer of GNU TLS as well. libressl is far from a drop-in replacement and unlike openBSD, Linux distributions carry a massive number of software packages in the repositories which need extensive migration work if that path was taken. It is far from clear that libressl is a major security win worth this investment since the ongoing openssl code review has found a number of security bugs that affects libressl as well.

      Comment


      • #4
        as much as i like diversity im not sure its a good idea to switch away from firefox. its the most open and most compatible right now if you don't wanna choose chrome. Its ui is actually GTK.

        Now then again I would understand if its a GTK3/wayland block.....:

        https://bugzilla.mozilla.org/show_bug.cgi?id=635134
        https://bugzilla.mozilla.org/show_bug.cgi?id=627699

        Comment


        • #5
          Originally posted by balouba View Post
          as much as i like diversity im not sure its a good idea to switch away from firefox. its the most open and most compatible right now if you don't wanna choose chrome. Its ui is actually GTK.

          Now then again I would understand if its a GTK3/wayland block.....:

          https://bugzilla.mozilla.org/show_bug.cgi?id=635134
          https://bugzilla.mozilla.org/show_bug.cgi?id=627699

          There is no serious current proposal to switch away from Firefox and Fedora 22 Firefox already using GTK3. Using GTK 3 alone does not make Firefox use Wayland however. Firefox is built using a completely separate UI layer with only some parts using GTK.

          Comment


          • #6
            Originally posted by RahulSundaram View Post
            libressl is far from a drop-in replacement and unlike openBSD, Linux distributions carry a massive number of software packages in the repositories which need extensive migration work if that path was taken.
            It's not a drop-in replacement in the sense that it's ABI is the same but that's not an issue anyway for a new major release.
            LibreSSL is also default on PC-BSD and Void Linux. Gentoo is experimenting with LibreSSL support. It's API appears to be fully compatible ? I googled a bit and so far only found successful attempts to compile software against LibreSSL.

            Originally posted by RahulSundaram View Post
            It is far from clear that libressl is a major security win worth this investment since the ongoing openssl code review has found a number of security bugs that affects libressl as well.
            "LibreSSL Largely Unaffected": http://undeadly.org/cgi?action=artic...20150319145126

            Comment


            • #7
              Originally posted by RahulSundaram View Post
              I don't think so. Fedora/ Red Hat generally favor NSS although they have hired the maintainer of GNU TLS as well. libressl is far from a drop-in replacement and unlike openBSD, Linux distributions carry a massive number of software packages in the repositories which need extensive migration work if that path was taken. It is far from clear that libressl is a major security win worth this investment since the ongoing openssl code review has found a number of security bugs that affects libressl as well.
              I'm sorry Rahul... what? did you follow the development of libressl at all? libressl was a fork and cleanup of openssl so of course some of the same issues are going to effect it because it's the same code still in a lot of places. The advantage of libressl over openssl is that by being a heavily cleaned up and somewhat refactored version of openssl (including dropping what effectively was an entire libc) it's going to be easier to find such bugs and is going to tend to have less issues, not that it's going to be immune or that it's not going to have the same ones as openssl.

              Comment


              • #8
                Originally posted by Awesomeness View Post
                It's not a drop-in replacement in the sense that it's ABI is the same but that's not an issue anyway for a new major release.
                LibreSSL is also default on PC-BSD and Void Linux. Gentoo is experimenting with LibreSSL support. It's API appears to be fully compatible ? I googled a bit and so far only found successful attempts to compile software against LibreSSL.


                "LibreSSL Largely Unaffected": http://undeadly.org/cgi?action=artic...20150319145126
                There are plenty of other issues regardless of ABI or API compatibility. For example, LibreSSL doesn't have FIPS support and that makes it a No Go as far as commercial distributions like Red Hat or SUSE is concerned. One could write a new patchset for libressl but FIPS certification is extremely expensive to the tune of millions of dollars and I doubt a completely new patchset is easy to develop, review or certify.

                As far as security issues go, there are enough shared problems at this point as well as a lot more attention to openSSL due to combined funding via the core infrastructure project/ Linux Foundation that a switch isn't a clear win at all.

                Comment


                • #9
                  Originally posted by Luke_Wolf View Post
                  I'm sorry Rahul... what? did you follow the development of libressl at all? libressl was a fork and cleanup of openssl so of course some of the same issues are going to effect it because it's the same code still in a lot of places. The advantage of libressl over openssl is that by being a heavily cleaned up and somewhat refactored version of openssl (including dropping what effectively was an entire libc) it's going to be easier to find such bugs and is going to tend to have less issues, not that it's going to be immune or that it's not going to have the same ones as openssl.
                  I followed it a lot more than you assume. See the previous post for details on why I don't believe a switch is going to fly.

                  Comment


                  • #10
                    Originally posted by RahulSundaram View Post
                    There are plenty of other issues regardless of ABI or API compatibility. For example, LibreSSL doesn't have FIPS support and that makes it a No Go as far as commercial distributions like Red Hat or SUSE is concerned. One could write a new patchset for libressl but FIPS certification is extremely expensive to the tune of millions of dollars and I doubt a completely new patchset is easy to develop, review or certify.
                    FIPS certification might have marketing value but it's pretty clear that it serves little practical purpose if it let something as awful as openssl get certified. So unless you want to argue that openSUSE and Fedora are there to serve the corporate interests of RedHat and SUSE as opposed to being community projects, then FIPS is of no concern to them, just for the actual products of RedHat and SUSE: RHEL and SLES. You want to use other SSL libraries? Cool, but frankly openssl itself needs to be canned.

                    Originally posted by RahulSundaram View Post
                    As far as security issues go, there are enough shared problems at this point as well as a lot more attention to openSSL due to combined funding via the core infrastructure project/ Linux Foundation that a switch isn't a clear win at all.
                    Unless openssl has gone under the same refactoring and cleanup process that libressl has, then "more attention" means very little as libressl is wading waist deep in shit whereas openssl is wading up to their necks in shit, and so the effect is minimized.

                    Comment

                    Working...
                    X