[Fedora-packaging] crypto in fedora
Stephen John Smoogen
smooge at gmail.com
Thu Mar 20 17:06:44 UTC 2008
On Thu, Mar 20, 2008 at 6:00 AM, Patrice Dumas <pertusus at free.fr> wrote:
> On Thu, Mar 20, 2008 at 07:47:41AM -0400, Jesse Keating wrote:
> > On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
> > > Then we have to register crypto packages somewhere such that the people
> > > in charge can do the paperwork, isn't it? Don't we need a guideline
> > > here?
> > I actually need to prep a guideline that has all packages with crypto
> > technology block FE-LEGAL (if that's still the alias). We'll use that
> > to get an audit of the code to make sure its either not new crypto, or
> > if it is, alert the appropriate people for export filings.
> Looks good.
> There are other questions that should be answered, however, in my opinion
> (with external sources of information if possible, no need to be fedora
> What is the criteria for being a crypto technology? It is easy to spot
> many packages that are not crypto, but for others it is not very clear
> to me. For example at which point a math library becomes a crypto
> library? And what about an applicatin that compute hashes? Also does the
> registration need to be done each time there is a new release or once
> for all?
Back in 2001, it needed to be done everytime there was an update to
the code (eg everytime we patched kerberos openssh and put it out.. a
new fax was sent to DoC in Washington and the mirror push had to wait
until then.) However I am not sure if we had to do it with coreutils
(md5sum).. but I am not sure if patching that ever came up. I was
mostly on the "crap remove this from the mirrors, someone pushed too
early" end of things.
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the Fedora-packaging