On Tue, Jan 16, 2024 at 07:52:18AM -0800, Steve Langasek wrote:
> On Tue, Jan 16, 2024 at 12:38:51PM +0100, Julian Andres Klode wrote:
> > Just to point out I synced libgcrypt20 from Debian now, which
> > drops the delta that enables FIPS mode that we had in past relases
> > where libgcrypt20 was not FIPS-enabled.
> >
> > This was preceeded by a long internal discussion and we've come
> > to the conclusion this patch is no longer needed.
> >
> > Notably, if you really enable FIPS, nothing changes: You get a
> > certified libgcrypt20 from a PPA anyway.
>
> > If you enable FIPS flag in the kernel without using the FIPS PPA,
> > for example, by running in a container on a FIPS host, you
> > libgcrypt20 will now operate in FIPS mode, which may cause
> > behavioral changes.
>
> Sorry, was this a typo and you meant to say "not operate" rather than "now
> operate"?
>
> If the delta we were carrying was to enable FIPS mode, and we are dropping
> the patch, it would seem to have the opposite effect to what you've written.
Sorry, the delta was to *disable* FIPS mode.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
