Announcement

Collapse
No announcement yet.

wolfSSL "Immediately Retired" From Fedora Linux For Failing To Follow Packaging Rules

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • wolfSSL "Immediately Retired" From Fedora Linux For Failing To Follow Packaging Rules

    Phoronix: wolfSSL "Immediately Retired" From Fedora Linux For Failing To Follow Packaging Rules

    WolfSSL is an embedded SSl/TLS library designed for a range of use-cases and available as open-source under the GNU GPLv2. WolfSSL was recently packaged and added to Fedora Linux since Netatalk began building against wolfSSL and in the longer-term plans to require its use. So the Fedora packager of Netatalk went ahead with packaging up wolfSSL. But this in turn has led to issues and as of today is now being "immediately retired from Fedora."..

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    1. How is it supposed to follow the rules if the team it needs to be reviewed by does not exist?
    2. why does a package need a legal review? I don't know anywhere that bans cryptography outright.

    Comment


    • #3
      it's good that fedora did this, but their policies is as clear as mud. what they are poorly explaining is that a crypto library will have to integrate with this framework https://gitlab.com/redhat-crypto/fedora-crypto-policies . for all the muscle red hat has, i don't know why they aren't pushing a standard config format into these libraries instead of having to create custom integrations into each one so that any library can just code to a cross distro crypto policy standard and not have to have so much patchwork.

      Comment


      • #4
        Openssl is known crap, and apparently alright. Shrug.

        Comment


        • #5
          Originally posted by Daktyl198 View Post
          1. How is it supposed to follow the rules if the team it needs to be reviewed by does not exist?
          2. why does a package need a legal review? I don't know anywhere that bans cryptography outright.
          The team does exist, the documentation didn't point to the right people. As for the second point, it is unfortunately for the same reason multimedia libraries need legal review: software patents.

          Comment


          • #6
            Originally posted by King InuYasha View Post

            The team does exist, the documentation didn't point to the right people. As for the second point, it is unfortunately for the same reason multimedia libraries need legal review: software patents.
            It's not about patents. It's because the importation or use of some kinds of cryptography is illegal in some countries, while it's export is potentially illegal in others. No one wants contributors to the Fedora project to accidentally run into trouble with criminal authorities, especially with geopolitically powerful states.

            Comment


            • #7
              What does it mean for your security team to be "currently defunct"? I have no idea how Fedora's governance works but isn't that bad? Shouldn't they always have a security team at all times?

              Comment


              • #8
                Originally posted by stormcrow View Post

                It's not about patents. It's because the importation or use of some kinds of cryptography is illegal in some countries, while it's export is potentially illegal in others. No one wants contributors to the Fedora project to accidentally run into trouble with criminal authorities, especially with geopolitically powerful states.
                You can name the United State. Fedora doesn't have to worry about other countries because they don't do business there. They do however have to care about what cryptography Uncle Sam says you can or can't use, whatever stupid software algorithms the USPTO allows to be patented so can't be used until they expire (even if a free implementation exists) and have to be careful about answering to a Russian in their IRC (sorry, you're on your own and don't even think about contributing to Fedora to help make it better).

                Comment


                • #9
                  Originally posted by stormcrow View Post
                  It's not about patents.
                  It is for the legal review step. That is why legal must review the enabled algorithms to make sure there there are no patented (or otherwise encumbered) algorithms. For example, some of the elliptic curve algorithms were interpreted to have had some patents on them. It is entirely possible there are no issues, but legal review is a requirement as part of the process.

                  Comment


                  • #10
                    Originally posted by ahrs View Post

                    You can name the United State. Fedora doesn't have to worry about other countries because they don't do business there. They do however have to care about what cryptography Uncle Sam says you can or can't use, whatever stupid software algorithms the USPTO allows to be patented so can't be used until they expire (even if a free implementation exists) and have to be careful about answering to a Russian in their IRC (sorry, you're on your own and don't even think about contributing to Fedora to help make it better).
                    Nope. I meant it exactly as I stated it. Cryptographic restrictions aren't just about the US any more nor is it about patents. It hasn't been for years. Many nations are enacting restrictions on the deployment, import, and export of cryptographic systems. Sorry to bust your bubble, but it's also most of Europe, China, India, and others. It's become a legal mine field beyond the more mundane potential patent issues.

                    Comment

                    Working...
                    X