On Fri, Jul 12, 2013 at 11:00:09AM -0500, Serge Hallyn wrote: > Quoting Daniel P. Berrange (berra...@redhat.com): > > Copy+pasting code for encryption algorithms is really not nice. > > It means that instead of distributors of your package being able > > to rely on the fact 'gnutls' is (eg) FIPS certified, they now have > > to explicitly certify the copy of the code in your package too :-( > > Interesting point, thanks. (I had considered the more general problem > of library updates, but I deemed the likelyhood of sha1.c needing > updates to be low) > > Haven't dealt with FIPS in many years, but I *thought* that in the > past you had to do a full certification anyway if you dynamically > linked. Am I wrong about that?
I'm not 100% on the details, but IIUC there are different levels of certification. The crypto libraries do some special things if the host is booted in fips mode too, for example they may do self-tests of their APIs/algorithms, and disable certain algorithms according to policy. So if you're copying + pasting code, then you obviously loose those two aspects too. I just know that proliferation of crypto implementations across apps is a major area of pain for people doing software certification - they don't even like having to certify all 3 of gnutls, openssl + nss, but they finally accepted they could not force all projects to standardize on nss alone. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
