[lxc-devel] [PATCH 1/1] lxc_create: prepend pretty header to config file

Daniel P. Berrange berrange at redhat.com
Fri Jul 12 16:11:36 UTC 2013


On Fri, Jul 12, 2013 at 11:00:09AM -0500, Serge Hallyn wrote:
> Quoting Daniel P. Berrange (berrange at redhat.com):
> > Copy+pasting code for encryption algorithms is really not nice.
> > It means that instead of distributors of your package being able
> > to rely on the fact 'gnutls' is (eg) FIPS certified, they now have
> > to explicitly certify the copy of the code in your package too :-(
> 
> Interesting point, thanks.  (I had considered the more general problem
> of library updates, but I deemed the likelyhood of sha1.c needing
> updates to be low)
> 
> Haven't dealt with FIPS in many years, but I *thought* that in the
> past you had to do a full certification anyway if you dynamically
> linked.  Am I wrong about that?

I'm not 100% on the details, but IIUC there are different levels of
certification. The crypto libraries do some special things if the
host is booted in fips mode too, for example they may do self-tests
of their APIs/algorithms, and disable certain algorithms according
to policy. So if you're copying + pasting code, then you obviously
loose those two aspects too. I just know that proliferation of crypto
implementations across apps is a major area of pain for people doing
software certification - they don't even like having to certify
all 3 of gnutls, openssl + nss, but they finally accepted they could
not force all projects to standardize on nss alone.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the lxc-devel mailing list