[Pacemaker] Building pacemaker without gnutls

Andrew Beekhof andrew at beekhof.net
Wed Aug 13 23:14:54 EDT 2014

On 13 Aug 2014, at 8:53 am, Oren <theoren28 at hotmail.com> wrote:

> Hi,
> Anything you can do will be appreciated.
> Regarding the FIPS concern, I hear you but it's never really that black and white.
> One way to look on it is as follows:
> 1) Allowing pacemaker to compile with OpenSSL and without GnuTLS (original post)

Without gnutls is (or should be) certainly possible.  The relevant #ifdef's should be in place to allow this.

Compiling with openssl, thats a less certain prospect - I can't imagine its a drop-in replacement.
I wouldn't object to a patch if someone proposed one, but its not something I can imagine I will spend significant time on myself.

Its certainly not a requirement that I've heard from anyone else so far.
If that changes, I would certainly look at re-prioritizing it.

> 2) Making pacemaker a FIPS approved software
> Alt. 1 is Practical; Common (e.g., freetds RPM); Natural and Extends package "availability" 
> (FIPS customers that are not allowed to use GnuTLS will have pacemaker in the gray area rather than black)
> Alt. 2 is Expensive; Takes time; but gains Certificated and Business motivated.
> The less secure claim is also gray.

These days it seems prudent to be suspicious whenever a particular government and cryptography are mentioned in the same sentence.
Especially when they are mandating the "one true version" of a piece of software to be used everywhere.

> Major security fixes are nowadays released quickly (e.g., heartbleed).
> Anyway, how users handle bugs in FIPS env. is not an HA community concern.
> Best,
> Oren
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20140814/15985c59/attachment-0003.sig>

More information about the Pacemaker mailing list