Package has no effect on system crypto policy

I'm starting an effort in this 22.10 cycle to see what we can do with this package, and how to integrate it with ubuntu.

While the package is working as intended, its claims are indeed false because the rest of the system is not aware of the generated configuration snippets that implement the chosen policy.

I will leave this bug open for now, while I decide what to do in this context, but I may close it in favor of bugs against the individual packages and applications to honor the policies set here. We will see. Perhaps in the meantime I can add the warning you suggested.

Related: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285

I might close this bug here as a duplicate of the above, and work there, as changes to other packages will be needed as well.

These bugs are wholly unrelated, not duplicates!

The bug "SSL trust not system-wide" is primarily about fixing Ubuntu's Firefox and Thunderbird to properly use p11-kit, and secondarily about fixing Debian's ca-certificates package to not completely suck so that things will actually work properly. This has nothing to do with crypto-policies. Having a shared system trust for ca-certificates, managed by p11-kit, should absolutely be done even if you choose not to adopt crypto-policies. The p11-kit trust is an expected feature of modern Linux systems, and Debian/Ubuntu ought to catch up here. (There are many serious problems with Debian/Ubuntu's current ca-certificates because nobody seems interested in fixing the Debian-specific stuff. I would seriously consider switching to use Fedora as your ca-certificates upstream instead.)

In contrast, the crypto-policies package provides Fedora-specific configurations for various libraries and applications. This affects only which protocols, algorithms, and features are permitted to be used. This is unrelated to having a shared system trust. crypto-policies is good in that it allows configuring a whole bunch of different libraries in one place, but none of this work was ever upstreamed, and it is definitely not suitable for Ubuntu in its current state. You are going to need either significant downstream patching -- or else upstream contributions -- in every library or application that crypto-policies is able to configure. crypto-policies is not currently an expected feature of modern Linux systems; currently, only Fedora ecosystem distros support it. My opinion of crypto-policies is that it's half-baked specifically *because* none of this was ever upstreamed. It would absolutely be a good feature if we could get things upstream. Having Ubuntu maintain downstream patches in dozens of different packages in order to make it work, like Fedora does, does not seem like progress.

You are right that it's not a duplicate, sorry for the confusion. It's part of the "centralized SSL" concept, but it tackles a different area.

About crypto-policies, evaluating how it would look in ubuntu, what amount of work is needed, how many downstream (our) parches will we have, that is all part of the work, and in the end we may discard it, or come up with an alternative. For now, it's merely a starting point.

Are there any plans of including backend policies for later releases of Ubuntu 22.04 too, or is the crypto-policies currently a dead package on 22.04?

Just wanted to add that on Ubuntu 20.04 there are a few backends. My question is in that case, how come the backends are missing on Ubuntu 22.04?

bind.config
gnutls.config
java.config
krb5.config
libreswan.config
libssh.config
nss.config
openssh.config
opensshserver.config
openssl.config
opensslcnf.config

First we have to tackle the devel releases, see what we will do with the package there.

> Just wanted to add that on Ubuntu 20.04 there are a few backends. My question is in that case, how come the backends are missing on Ubuntu 22.04?

@anderslarsson, in jammy the back-ends directory and its contents is created after you run update-crypto-policy --set <name> for the first time. Note that it still does nothing, as no packages in ubuntu are including these configuration snippets generated by crypto-policies.

Thanks for letting me know. It seems like it indeed doesn't do anything on Ubuntu 20.04 either.

Correct, it just generates the config files, but they are not included by anything. You can manually edit all the individual configuration files for the services you want to participate in the policy if you want. For krb5 and ssh server, for example, add an include statement. Likewise for bind9, and openssl (a bit trickier these, as you have to find the right section). gnutls is simpler, just /etc/gnutls/config (you can symlink it to the back-ends corresponding config snippet), and so on. Still, this bug remains valid.

We have decided to not engage in the work to integrate this package in ubuntu at this time. A removal bug was filed:

https://bugs.launchpad.net/ubuntu/+source/crypto-policies/+bug/1993339