FIPS compliance efforts in Fedora and RHEL

Nico Kadel-Garcia nkadel at gmail.com
Wed Apr 19 13:07:00 AEST 2023


On Tue, Apr 18, 2023 at 5:27 PM Demi Marie Obenour
<demiobenour at gmail.com> wrote:
>
> On 4/18/23 05:05, Norbert Pocs wrote:
> > Hi OpenSSH mailing list,
> >
> > I would like to announce the newly introduced patch in Fedora rawhide [0]
> > for FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
> > version.
>
> Why does Fedora care about FIPS 140?  To me, this seems like it
> should be specific to RHEL and maybe CentOS Stream, not Fedora.
> My understanding is that Fedora will never be FIPS 140 complaint
> anyway so there is no point in even trying, not least because
> the FIPS validated version will generally be _less_ secure than
> the non-FIPS version.  To give just one example, OpenSSH defaults
> to a post-quantum key exchange that FIPS does not allow.

Because Fedora is the alpha platform for RHEL, and Red Hat pays a lot
of their bills, both in cash and in development. In theory, leading or
bleeding edge work happens in Fedora first, and the folks who use
bleeding edge software pay for it by being the first to detect
incompatibilities and the first to need to hammer out backwards
compatibility.


More information about the openssh-unix-dev mailing list