Open Stack

Joshua Cornutt <jcornutt at gmail.com> writes:

> On Wed, Nov 7, 2018 at 7:30 AM Doug Hellmann <doug at doughellmann.com> wrote:
>>
>> Joshua Cornutt <jcornutt at gmail.com> writes:
>>
>> > Doug,
>> >
>> > I have such a list put together (my various installation documents for
>> > getting these clouds working in FIPS mode) but it's hardly ready for
>> > public consumption. I planned on releasing each bit as a code change
>> > and/or bug ticket and letting the community consume it as it figures
>> > some of these things out.
>>
>> It's likely that the overall migration will go better if we all have the
>> full context. So I hope you can find some time to publish some of the
>> information you've compiled to help with that.
>>
>> > I agree that some changes may break backwards compatibility (such as
>> > Glance's image checksumming), but one approach I think could ease the
>> > transition would be the approach I took for SSH key pair
>> > fingerprinting (also MD5-based, as is Glance image checksums) found
>> > here - https://review.openstack.org/#/c/615460/ . This allows
>> > administrators to choose, hopefully at deployment time, the hashing
>> > algorithm with the default of being the existing MD5 algorithm.
>>
>> That certainly seems like it would provide the most compatibility in the
>> short term.
>>
>> That said, I honestly don't know the best approach for us to take. We're
>> going to need people who understand the issues around FIPS and the
>> issues around maintaining backwards-compatibility to work together to
>> create a recommended approach. Perhaps a few of the folks on this thread
>> would be interested in forming a team to work on that?
>>
>> Doug
>>
>
> I'd be interested in that. Good idea

I added "FIPS compliance" to the list of community goal ideas in
https://etherpad.openstack.org/p/community-goals (see number 35,
currently at the bottom of the etherpad).

Please add more detail there about what exactly is involved, references,
etc. -- whatever you think would be useful to someone learning about
what this is.

>
>> > Another approach would be to make the projects "FIPS aware" where we
>> > choose the hashing algorithm based on the system's FIPS-enforcing
>> > state. An example of doing so is what I'm proposing for Django
>> > (another FIPS-related patch that was needed for OSP 13) -
>> > https://github.com/django/django/pull/10605
>> >
>> > __________________________________________________________________________
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-- 
Doug