On Thu, Jan 10, 2013 at 02:59:41AM +0100, Mika Pflüger wrote: > How should we proceed? Add kernel_read_crypto_sysctls for everyone who > needs it (which could be quite some list considering that libgrypt11 > has about 200 reverse dependencies…) or follow the fedora way and allow > it for everybody?
Allowing everyone to read it seems reasonable. There's no security problem if a program finds out whether we are in fips mode or not. > However, this only breaks fips mode for the affected programs so maybe > the impact is so low that we don't fix it for wheezy and therefore > only work for a solution upstream. How many people use system wide fips > mode? I don't use fips mode, but I think that fips users[0] would want this bug fixed in wheezy. The change is minor, so getting an unblock wouldn't be difficult. An actual fips user[0] should say their opinion on this bug. [0]: if there are any -- Marius Gavrilescu (kids) There's no one in there. --6 year old son, in response to seeing his father hanging pictures and tapping on the walls to find the support beams.
signature.asc
Description: Digital signature
