[Pacemaker] Building pacemaker without gnutls
Andrew Beekhof
andrew at beekhof.net
Thu Aug 14 05:14:54 CEST 2014
On 13 Aug 2014, at 8:53 am, Oren <theoren28 at hotmail.com> wrote:
> Hi,
> Anything you can do will be appreciated.
> Regarding the FIPS concern, I hear you but it's never really that black and white.
> One way to look on it is as follows:
> 1) Allowing pacemaker to compile with OpenSSL and without GnuTLS (original post)
Without gnutls is (or should be) certainly possible. The relevant #ifdef's should be in place to allow this.
Compiling with openssl, thats a less certain prospect - I can't imagine its a drop-in replacement.
I wouldn't object to a patch if someone proposed one, but its not something I can imagine I will spend significant time on myself.
Its certainly not a requirement that I've heard from anyone else so far.
If that changes, I would certainly look at re-prioritizing it.
> 2) Making pacemaker a FIPS approved software
> Alt. 1 is Practical; Common (e.g., freetds RPM); Natural and Extends package "availability"
> (FIPS customers that are not allowed to use GnuTLS will have pacemaker in the gray area rather than black)
> Alt. 2 is Expensive; Takes time; but gains Certificated and Business motivated.
>
> The less secure claim is also gray.
These days it seems prudent to be suspicious whenever a particular government and cryptography are mentioned in the same sentence.
Especially when they are mandating the "one true version" of a piece of software to be used everywhere.
> Major security fixes are nowadays released quickly (e.g., heartbleed).
> Anyway, how users handle bugs in FIPS env. is not an HA community concern.
> Best,
> Oren
>
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://oss.clusterlabs.org/pipermail/pacemaker/attachments/20140814/15985c59/attachment-0001.sig>
More information about the Pacemaker
mailing list