From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:49921)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SbgQv-0001dz-AE
	for qemu-devel@nongnu.org; Mon, 04 Jun 2012 19:11:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SbgQt-0000pl-Lk
	for qemu-devel@nongnu.org; Mon, 04 Jun 2012 19:11:32 -0400
Received: from mail-pz0-f45.google.com ([209.85.210.45]:37943)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1SbgQt-0000p4-FI
	for qemu-devel@nongnu.org; Mon, 04 Jun 2012 19:11:31 -0400
Received: by dadv2 with SMTP id v2so7015361dad.4
	for <qemu-devel@nongnu.org>; Mon, 04 Jun 2012 16:11:29 -0700 (PDT)
Message-ID: <4FCD409C.70003@codemonkey.ws>
Date: Tue, 05 Jun 2012 07:11:24 +0800
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <20120502193256.6508.86360.stgit@sifl>
	<4FCAB60E.1070107@codemonkey.ws> <10302697.mednriu9QL@sifl>
In-Reply-To: <10302697.mednriu9QL@sifl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password
 authentication (security type 2) when in FIPS mode
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paul Moore <pmoore@redhat.com>
Cc: qemu-devel@nongnu.org

On 06/05/2012 02:16 AM, Paul Moore wrote:
> On Sunday, June 03, 2012 08:55:42 AM Anthony Liguori wrote:
>> This needs to be optional and disabled by default I think.  I strongly
>> dislike  disabling a feature when a user isn't asking for it.  You can
>> introduce a global -enable-fips-mode or something like that.
>
> I'll resend the patch, but before I do I want to make sure the defaults are
> set to whatever you find acceptable to merging and the second sentence above
> has me a little confused; do you mean "... dislike _enabling_ a feature when a
> user isn't asking for it."?

I dislike *removing* a feature unless a user has explicitly asked us too.

If a user isn't aware that fips mode is enabled, they will have no idea why VNC 
authentication doesn't work.  I think we should let a user choice whether they 
want QEMU to respect fips mode or not.

Regards,

Anthony Liguori

>