Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm sure Red Hat has the money to pay someone to implement FIPS for their port.


I'm sure they do, too. It isn't that simple.


What isn't simple about Red Hat paying a third-party to write some software and get it certified? Other companies are doing it for themselves, surely Red Hat can find someone qualified.


Just "write some software and get it certified"? Sounds so simple, why doesn't everyone do it?

Because it isn't just getting a body of code certified once.

Someone has to maintain that specific code and either upstream or backport important changes which require a re-certification, neither of which LibreSSL is interested in helping with.


Once LibreSSL has reached a point of minimal disruptive change, FIPS support could be re-implemented as a series of third-party patches, which could then be certified as needed.

For example, create a fipssl project which is patches to a specific version of LibreSSL; take the result (LibreSSL v1.x + fipssl v1.2 = libfipssl v1.2) and then get that certified. Companies/contractors which need FIPS certification then use libfipssl v1.2.

The fipssl maintainers then just have to track LibreSSL changes until their next release, which (for a series of small, maintainable patches) shouldn't be too difficult. The grsecurity project has been doing the same thing with the Linux kernel for years.


"Sounds so simple, why doesn't everyone do it?"

Well, need & money, both of which Red Hat has. I am unclear how a company that maintains an enterprise distribution and writes a lot of code cannot find the folks needed to do FIPS if it is that important for their government contracts.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: