Hi, I noticed that systemd on fedora (at least on the atomic variants) is compiled without support for forward secure sealing (fss). This is a systemd feature to detect journal tampering and verifying the integrity. Any idea why this is turned off or where to propose turning it on in-case there isn’t a reason for it being off?
Hi,
the same at ‘normal fedora“ :
❯ journalctl --setup-keys
Compiled without forward-secure sealing support.
systemd is compiled WITHOUT gcrypt which is needed by fss.
I’m hoping you will not ask me why its not compiled with this ^ - I honestly don’t know.
found:
libgcrypt is strongly disfavored, so I’m not surprised to see it disabled wherever possible. Often it’s better to depend on OpenSSL instead.
The commit responsible for turning it off is this one. Removing the dependency on libgcrypt apparently significantly simplifies the dependency tree for systemd.
Out of curiosity I’ve reverted that commit and built in COPR. It appears to still work but I think I’m in agreement with the others that the feature doesn’t justify reintroducing the dependency.
I’ll drop a comment on that GitHub post clarifying what’s happened, but I think we wont be able to re-enable this feature until it’s moved over to OpenSSL.
2 Likes
Thank you for the details!
I don’t think either it’s worth it to introduce that dependency again. Lets hope it gets moved over to openssl at some point.
1 Like