Re: DJ Ware, Is Fedora 42 safe?

DJ Ware, on his YouTube channel, has just published his ‘Audit of Fedora 42’. https://www.youtube.com/watch?v=bWXmDvKU1Ww Now his discussion was way beyond my ability to respond critically, but it immediately reminded me of when when Ralph Nader published ‘Unsafe At Any Speed’ back in the 1960’s. Remember what that book did for the Chevy Corvair?

I hope that Fedora and the Fedora Community will respond to DJ Ware. As far as I am aware he is a legitimate Linux expert whose opinions deserve a reasoned response.

I haven’t watched the entire video but out of his first 3 points, 2 are either not regulated by Fedora directly or are not of the severity ‘critical’ as he states.

I don’t know enough about his first point (Spectre mitigation), but the second point, Intel CPU thermal management, is mostly dependent on the kernel version and Intel’s own thermal curve settings for specific cpu families. It may very well be different in the next kernel update which is usually only weeks away. They are mostly kernel defaults set by Intel themselves. Apart from that it’s user configurable, so it’s not an inherent problem with the system under Fedora’s influence.

The third point is dependent on whether the user configures any network drives to automatically be mounted, and is a process that runs mostly in parallel with the system boot. The system will need a network connection first to mount any network drives, so if the system relies on wifi this could take a while to be available. Labelling this point as critical is not reasonable, and it is not something that is configured by Fedora but is a combination of the user’s configuration, the desktop environment’s choices and how they interact with systemd.

His criticisms are fine from a perspective of improving user experience and overall system stability, but certainly don’t reach the level of critical as easily as he implies. He should also be more precise in pointing to the source of each issue, rather than sweeping it under the umbrella “Fedora”. Most of the issues will likely exist in the same way on any distribution that makes use of the upstream components in question.

Maybe other people want to react to more points in the video.

Thank you. I hope there are many replies, including direct replies to his YouTube. I should note that he has not always been ‘down’ on Fedora. My recollection is that he thought rather highly of it, which I guess just added to my concern.

I have been dual+ booting Windows and Manjaro. The past few days I have been working on backing up my system and I was going to switch and make Fedora 42 my main daily driver. Then, last night I stumbled across the video you all are referring to, kind of made me pause. I hope this thread gets lots of discussion because I don’t know much about systemd and the upsides or downside of it. But, this guy in the video seems to know his stuff. Err, confusion is setting in again.

Does he? @litemotiv is clearly not convinced.

I expect the points he makes can be raised against any distro using linux and as
Oliver said are not critical as he claims.

Agree with you and @litemotiv. I believe this guy was talking as a whole. But, what makes me nervous is that I don’t have enough knowledge to know if his points will, or won’t, effect me.

Don’t get me wrong, I probably will still go Fedora, it is just one of those times where I was set on something and then speed bump out of nowhere.

Edited: Oh, and systemd does seem to be getting out of control. I kind of hope this is addressed before linux is so dependent that there is no turning back…

Have these “audit” findings been documented in writing and bugs raised in Fedora Bugzilla? I had a look at the YouTube transcript, but that doesn’t have enough detail to be useful.

I use systemd all the time and it’s responsible for my systems be under my control and being easy to maintain.

Why do you think systemd is out of control?

FIPS is interesting; it broke a few GUI Terminals unexpectedly (somehow maximizing xfce4-terminal or just opening kgx rely on crypto algos that seemingly aren’t compatible with FIPS)

Fedora mentions 140-2; the video mentioned F42 didn’t pass phase 1. I’m not too familiar with phase testing FIPS, but that sounds like it should be looked at.

openSUSE TW has 140-3 in repos.

Thermal management I can see being an issue as far as trying to have generic power-saving everywhere. I’m assuming tuned or profiles does something non-ideal, but I remove that and just set max CPU or balanced from x86_energy_perf_policy with udev rules every distro to not guess (notes)

Regarding FIPS, read F42 Change Proposal: Remove fips-mode-setup (system-wide)

I’m convinced that FIPS mode is entirely irrelevant for Fedora. By the time you have your crypto modules validated and certified, you can restart the process with a new release. No government institution is interest in repeating that expensive process every 6 months…

I was into FIPS for the status symbol of running stuff with the compliance

On Windows, FIPS was easy with FipsAlgorithmPolicy and took effect immediately without a reboot (MD5 was blocked). According to MS they validated on 10 21H2 (latest LTSC and longer-support than current W10 22H2), and while 11 was validated 21H1, FIPS enabled and worked 24H2.

I’m thinking the code for having FIPS functional is easier than seeking the validation. I’m mainly interested in knowing that older algos are blocked/higher ones preferred. FIPS is an easy target for that cross-OS.

I’m thinking FIPS’s requirement are just a set of crypto algo policies (that can be set-up with code), and a test to make sure everything works (official validation procedures; but making sure the algo policies work are good-enough end-user).

If FIPS worked on general Linux (the Terminal thing implies nobody really tests it), I’d use it.

You’re assuming FIPS improves security. It doesn’t. FIPS is a compliance thing. If you want to disable older algorithms, crypto-policies is the tool to do that. For example, run your Fedora with the DEFAULT:NO-SHA1 crypto-policy by running sudo update-crypto-policies --set DEFAULT:NO-SHA1 (update-crypto-policies is in the crypto-policies-scripts package). In fact, FIPS is very specific to the requirements of the US (and Canadian) government. It will disable all algorithms that were not invented or specified by these governments, some of which are actually considered significantly better than the algorithms allowed by FIPS.

For example, in FIPS mode your disk encryption key is derived from the disk encryption password using PBKDF2, which is a pretty dated password-based key derivation function, and potentially vulnerable to attacks by GPUs. Modern alternatives exist, and Fedora uses Argon2 by default outside of FIPS mode, because that algorithm has defenses against GPU-based attacks.

Different example, in FIPS mode your TLS connections will no longer use ChaCha20-Poly1305 for symmetric encryption, and instead fall back to AES-GCM. Now, there is no reason to assume AES-GCM is worse than ChaCha20-Poly1305 (except for the pitfall of IV reuse, which can be critical with AES-GCM, but is widely understood and mitigated), but there’s also absolutely no evidence that AES-GCM is any better than ChaCha20-Poly1305, and the latter can actually occasionally deliver better performance in systems that don’t have CPU acceleration for AES.

Another example, key exchange with curve25519 is not available in FIPS mode, neither for your SSH, nor your TLS connections. Curve25519 was designed to avoid implementation pitfalls when dealing with elliptic curves, and is fast. ECDH over the NIST ECC curves does not avoid the implementation pitfalls, and is considerably harder to implement correctly (people, never implement your own crypto, please!).

The same thing applies for Ed25519 and Ed448, which are signature algorithms. Now, NIST did actually add those to FIPS 186-5 recently, making them FIPS-compliant, but only after many people asked for that.

FIPS mode also changes the random number generator used by the kernel (although I’m honestly not sure whether those patches are even in Fedora in the first place), and places stricter requirements on re-seeding and entropy gathering, which means in practice you’ll get much slower DRBG performance in FIPS mode. We’re talking an order of magnitude here. Also, some recent improvements such as the vDSO getrandom() must be completely disabled in FIPS mode.

That is only partially correct.

Yes, FIPS is a set of crypto-algorithm policies, but those can also be set with the existing crypto-policies mechanism of Fedora.

It is also official validation by an accredited lab, but that doesn’t apply to Fedora, because we don’t do this validation for Fedora (it takes years, by the time a certificate would be issued, the version it was issued for would no longer be supported).

However, FIPS also comes with additional runtime testing requirements that have a significant impact on performance. The biggest offender here is that in FIPS mode, cryptographic libraries must test their own integrity on startup, and test their algorithms with a known-answer test before allowing their use. In practice that means that every single process that loads OpenSSL will first self-test its SHA2 implementation, then self-test its HMAC implementation, then compute an HMAC over the OpenSSL libraries, compare it against the expected value, then proceed to self-test every other algorithm it offers or you want to use. The impact on startup performance is huge.

For the reasons mentioned above, I can’t stress this enough: If you’re not required to run in FIPS mode because you’re working for the US government, don’t use FIPS mode. It does not give you what you might think it does.

Now, back to the original point made in the video:

For the FIPS section, this person does not seem to know what they’re talking about. FIPS does not come with requirements for logging, which they seem to be implying.

It only specifies requirements for implementations of cryptographic primitives. However, the validation required to be actually compliant with FIPS to be able to use it in US government environments costs a 5-6 figure sum, takes about 2.5 years, and is only valid for the specific version it was done for. This is entirely pointless for Fedora, given its release cycle.

This person does not seem to know a great deal about FIPS, and their points about FIPS compliance are wrong.

From most of the so called experts that make a living on you tube with acting like they are experts my chances of winning the powerball are greater than my Fedora system being at risk.

Guys… Not sure about you but I feel this post can do more harm to fedora usage than seeing PewDiePie moving to Linux :). Maybe an official answer pointing the discussion here would do something to calm people down. Instead of just dismissing the post as a “anti-systemd” mentality.
Unfortunately he used fedora to point this out. So For their viewers (the majority of them looking to go into Linux) Fedora just got scorched.

The sway from others with any non-Windows OS is already kind of questionable

At a base, no points in the video is a concern for anyone using Linux generally:

• Nobody watching that video should know what C-Groups v2 is
• Systemd PID 1 can’t mean anything vs all other mainstream distros
• Rsyslog isn’t relevant (I never used it since 2016 any distro even F22+ )

If someone’s looking for a reason not to use Fedora, then they already weren’t interested. If a newbie stumbles upon that video without knowing what Ubuntu or Mint is, that’s part of that sway issue

Basically: Fedora 42 is safe.

Check the comments. The people you refer to don’t know what all that jazz is. They just come out of that video with the idea that Fedora isn’t safe and should not be installed. Fedora is not safe. (Period). If I had seen that video 6 months ago, I would not have opted for Silverblue.

Why would you trust that video at face-value before trying the distro?

• There’s at least 42 Fedora versions: That’s long-term deliverance of something worthwhile
• Fedora is associated with Red Hat: Red Hat doesn’t mess around/is Enterprise
• Fedora is mainstream: You can count the amount of serious mainstream distros worth using on desktop and Fedora is one of them
• There’s probably tons of sway videos against mainstream distros: You’re free to try non-mainstreams, and with enough experience you’ll probably find reasons why those distros aren’t mainstream
• Linux is about choice; you don’t have to choose to be swayed. Read up on the distro and decide if it’s worthwhile, try it, and if it doesn’t suit you, try something else, and maybe come back to a distro you switched from.

As far as I can tell, the comments are:

• Over-emotional (“This video really startled me”, and a "Thank you Sincerely " with 2 spaces looking like AI)
• systemd bashing
• Unrelated distro mentions (Void, Devuan)
• Generic praise to the video creator

Basically nothing seriously discussing the topics; this thread probably has better discussion overall

If you know Fedora, it’s probably the most secure desktop Linux distro available today. Meanwhile, someone could probably raise points that make Windows 7 sound more secure

.. not an official response …

That was back in Fedora 20 ..
edit: 998573 – No Default Syslog
It looks like it was only removed from core and not standard, and from the workstation-product. Which means it is still part of a lot of installations.

You can look at the FIPS specification: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf

The cgroupsv2 change was in Fedora 31, Changes/CGroupsV2 - Fedora Project Wiki

I can’t speak to the thermal or mount issues that were observed as I’ve never had those problems.

It’s a lot like the Mozilla TOS situation. A vlogger looking to create FUD because controversy generates clicks/views, and a decent chunk of the audience eating up everything they say. You can’t really combat that with objective responses refuting their points, the doubt has already been sowed in people’s minds.

Yeah, fundamentally this is about algorithmic $ocial media and the incentives it creates.

The risk is that if you get into responding, you set a precedent that you’ll spend your time dealing with every attack, however unsubstantiated. It’s exactly how bad actors use the “flood the zone with s–t” tactic.

If someone makes a YouTube video claiming that I’m a serial killer, is it on me to refute it?

If the “auditor” here is in good faith, then he should provide written audit findings and raise bugs, which Fedora can deal with on the merits.