Fedora QA Meeting for this week - moved!

[Steve Grubb]

On Tuesday 30 September 2008 18:30:29 Will Woods wrote:
> - Any features that will need close attention between now and Preview?

This is not a Fedora Feature (yet) but it is something we are curious 
about...libgcrypt has been updated to support FIPS-140-2. The way that we've 
worked things to enable FIPS mode is to add a fips=1 to the grub kernel boot 
params. However, that is not scheduled to be in a kernel until 2.6.28 (we 
wished the Fedora 10 kernel were patched so deeper testing could be done). In 
the meantime, libgcrypt in rawhide/F-10 does have a way of forcing the FIPS 
mode:

touch /etc/gcrypt/fips140.force

This causes it to disable certain non-FIPS approved algorithms and enable 
startup and continuous cryptographic tests. Any problems in applications will 
be noted in syslog. We know that FIPS mode breaks gnutls and everything 
linked to it. We don't know what else is potentially broken. 

We need every application linked to libgcrypt to either work as advertised or 
output a reasonable error message saying why it doesn't work - iow it depends 
exclusively on algorthims or keysizes that are forbidden by FIPS. The docs 
for gcrypt have been updated and explains in a lot more detail how things 
work (also required for FIPS). So, that should help fix apps.

This is not mandatory to be working at F-10 release since the kernel support 
is still way off in the future. (We'll probablys start a F-11 feature page 
for this soon.) I expect a fair amount of breakage and would like a head 
start on making things work. No one should see any ill effects when not in 
FIPS mode, which is the way we expect everyone to run today.

Thanks,
-Steve