Announcement

**boxie** · 08 June 2018, 12:15 AM

I can see an immutable "Old Vender" VM window thing - where they just have old versions of browsers with java and flash installed.

Why?

Old IT Gear. Old vender gear that used to have state of the art out of band management. that requires a given version of java 5 or flash.

this will be the legacy of vender lockin

**Creak** · 08 June 2018, 12:48 AM

The problem is that the user don't always have the choice in the crypto algorithm he has to use. I've happened to work in companies that was still using MD5 for storing passwords. I agree that it's a huge security risk to use that algorithm nowadays, but without it, I would not be able to work remotely. So, in the end, I would not use Fedora 29 because it would not be compatible with my work (old) security policies.

Unless the old algorithms are available in a "compat" package.

**starshipeleven** · 08 June 2018, 04:38 AM

Originally posted by boxie View Post

I can see an immutable "Old Vender" VM window thing - where they just have old versions of browsers with java and flash installed.

Why?

Old IT Gear. Old vender gear that used to have state of the art out of band management. that requires a given version of java 5 or flash.

this will be the legacy of vender lockin

It's already like this for industrial automation, everyone has a VM with the old software running in an old Windows version they use to communicate with 10yo or older industrial equipment.

I would not call out of band management using flash or java "state of the art", it was a piece of shit even when it was new, breaking left and right at any update of java/flash or the OS or whatever and requiring hacks or workarounds. Many people used VMs or dedicated PCs (that would NOT be updated) even when they were "supported".

Also "vender" --> "vendor"

**starshipeleven** · 08 June 2018, 04:39 AM

Originally posted by Creak View Post

The problem is that the user don't always have the choice in the crypto algorithm he has to use. I've happened to work in companies that was still using MD5 for storing passwords. I agree that it's a huge security risk to use that algorithm nowadays, but without it, I would not be able to work remotely. So, in the end, I would not use Fedora 29 because it would not be compatible with my work (old) security policies.

Unless the old algorithms are available in a "compat" package.

Fedora isn't targeting this kind of userbase. There is RHEL for that.

**Delgarde** · 08 June 2018, 04:45 AM

Yeah, as good as it is to disable older versions of protocols, it does come with problems. About a year ago, we did a major upgrade for a piece of enterprise software for a client... and it turned out that part of the upgrade included the webserver disabling TLS 1.1 by default. Not a problem for the human users, but it turned out the client was running a bunch of adapter code that was old enough to not support TLS 1.2... and which suddenly was unable to talk to the upgraded servers.

It was apparently quite an argument, over whether the old code should be fixed for modern compatibility, or whether the server should be configured to re-enable the less-secure protocols... I *think* security won in the end...

**chenxiaolong** · 08 June 2018, 08:08 AM

Originally posted by Creak View Post

The problem is that the user don't always have the choice in the crypto algorithm he has to use. I've happened to work in companies that was still using MD5 for storing passwords. I agree that it's a huge security risk to use that algorithm nowadays, but without it, I would not be able to work remotely. So, in the end, I would not use Fedora 29 because it would not be compatible with my work (old) security policies.

Unless the old algorithms are available in a "compat" package.

From the wiki page, it looks like the user can easily reenable the legacy crypto algorithms with:

Code:

update-crypto-policies --set LEGACY

Changes/StrongCryptoSettings2 - Fedora Project Wiki

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

**boxie** · 08 June 2018, 09:12 PM

Originally posted by starshipeleven View Post

It's already like this for industrial automation, everyone has a VM with the old software running in an old Windows version they use to communicate with 10yo or older industrial equipment.

I would not call out of band management using flash or java "state of the art", it was a piece of shit even when it was new, breaking left and right at any update of java/flash or the OS or whatever and requiring hacks or workarounds. Many people used VMs or dedicated PCs (that would NOT be updated) even when they were "supported".

Also "vender" --> "vendor"

That's why i was thinking there is going to be a ready made "virtual" - it would certainly be helpful instead of hunting around for old install disks and old versions when you find yourself needing one.

as for vender vs vendor - yes, I should have used vendor.

Announcement

Fedora 29 To Further Strengthen Crypto Settings

Fedora 29 To Further Strengthen Crypto Settings

Comment

Comment

Comment

Comment

Comment

Comment

Comment