Red Hat's Fedora 21 brimming with security, crypto upgrades

Changes to Fedora, like smart card access control and systemwide policy for cryptography, could end up in Red Hat Enterprise Linux

Fedora 21, the next version of Red Hat's Fedora distribution of Linux, just received a slew of new feature approvals courtesy of the Fedora Engineering and Steering Committee.

According to Phoronix, among the most significant new changes included are a new systemwide policy for the handling of cryptography. The idea, according to Fedora's own wiki, is to "unify the crypto policies used by different applications and libraries" so that all applications running on a given Fedora system can have a consistent level of cryptography set between them.

Under this plan, Fedora would have a number of predefined security levels, each of which would define various behaviors relating to crypto: what versions of TLS/SSL/DTLS would be acceptable, what parameters would be valid for certificates and key exchanges, what signature hash functions are acceptable, and so on.

The exact plans are under wraps right now, especially since implementing this plan would require changes in, among other items, libraries like GnuTLS. That library was recently found to have a long-undetected bug that could have allowed data theft by way of a specially crafted encryption certificate. Perhaps one of the side effects of the Fedora security-profile plan would be some additional auditing of the crypto libraries used in Fedora (and Linux generally).

Other prospective changes to Fedora 21 include improvements to the management of PC/SC smart cards, to make it more difficult for unauthorized users or processes to read data from or alter a smart card. InfoWorld's Roger Grimes has been skeptical of smart cards as a security cure-all -- they often add less security than is bruited -- but any boost to their safety and utility on Linux is a net gain.

Another set of major changes involves DNF, or "Dandified Yum," Fedora's replacement for the yum package manager. DNF hasn't landed as a full-blown replacement for yum yet -- this is slated to happen in Fedora 22 -- but adventurous users can install DNF manually and use it side-by-side with yum if they choose.

The Fedora Project serves two functions in the Linux world. One, it's an end-user Linux distribution that concentrates on being built without proprietary or patent-encumbered components. The downside is a long list of items that can't be bundled with Fedora by default, including many commonplace features like MP3 or Adobe Flash support, although they can be added by hand via third-party repositories.

The other big function Fedora serves is as a kind of test bed for technologies that might be included in Red Hat Enterprise Linux. The list isn't exclusive -- that is, new features to RHEL don't always appear in Fedora first -- but many of the features included in Fedora ought to be considered good candidates for future additions to RHEL. Here, the enhanced encryption and security features seem likely to show up in the enterprise version, though they'll need a good long shakedown period in Fedora before being baked into RHEL.

The final list of features for Fedora 21 hasn't been completed yet, but the deadline for specifying those final changes will be April 8. Fedora 21 itself will be out, at the earliest, by October 21.

This story, "Red Hat's Fedora 21 brimming with security, crypto upgrades," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform