Red Hat Bugzilla – Bug 619878
Remove python-crypto's crypto implementations, rewriting in terms of libgcrypt
Last modified: 2011-03-23 14:37:18 EDT
Description of problem:
python-crypto provides various API entrypoints relating to cryptography, and contains various implementations of cryptographic algorithms.
It is proposed to remove these implementations for certification reasons, rewriting the relevant API hooks in terms of libgcrypt.
Given that python-crypto occupies a particular place within the Python API namespace, we would need to replace all API hooks it provides with identical equivalents, or we run the risk of breaking things.
I have not yet checked to see if libgcrypt provides all of the algorithms that python-crypto implements.
Version-Release number of selected component (if applicable):
The certification of the python-crypto is probably not possible with the new revision of the FIPS-140 standard. But do we really need to have the python-crypto certified? If the only users of python-crypto are limited to some marginal functionality it could be probably kept out of the certified subset. As for the rewrite using some certified library - that's probably the only option if it is decided that we have to have all crypto certified. In that case it should be rewritten using the libncrypto which is a wrapper library for the kernel crypto algorithms.
I'll try to reply on other parts later, but
(In reply to comment #22)
> In that case
> it should be rewritten using the libncrypto which is a wrapper library for the
> kernel crypto algorithms.
I don't think libncrypto should be used by "ordinary" applications - we want to consolidate the libraries used by applications, not fragment them more. Upstreams will probably not want to use a Linux-specific library anyway.
Development Management has reviewed and declined this request. You may appeal
this decision by reopening this request.
See also bug 675708