From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Randy MacLeod <randy.macleod@windriver.com>
Cc: Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Subject: Re: Add libreSSL to oe-core?
Date: Tue, 05 May 2015 20:51:29 +0100 [thread overview]
Message-ID: <1430855489.8074.10.camel@linuxfoundation.org> (raw)
In-Reply-To: <5547BE45.2050206@windriver.com>
On Mon, 2015-05-04 at 14:45 -0400, Randy MacLeod wrote:
> Should oe-core add libressl as an alternative to openssl and other
> OE SSL/TLS implementations?
>
> We had a request from a customer to add LibreSSL so I was wondering
> about the plans of the Yocto community and indeed of the larger Linux
> distro community.
>
> Libressl claims (aims?) to be a more stable, secure TLS implementation
> then OpenSSL. It was initially only for OpenBSD but it supports a
> variety of platforms now:
> http://www.libressl.org/releases.html
> The CVE history enthusiastically summarized on Wikipedia:
> https://en.wikipedia.org/wiki/LibreSSL
> does indicate that libressl has been vulnerable to fewer CVEs than
> openssl so far. I quickly reviewed:
> https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
> but perhaps someone on the list has more direct experience, knowledge
> and/or opinions of implementations of TLS? Note that the libressl devs
> has stated that they have no interest in FIPS 140-2 certification:
> http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
> so that could be a problem for some users.
>
>
> Other than Arch, and openSUSE Factory build, it seems that no
> major linux distro has added libressl:
> http://pkgs.org/search/libressl
>
> An OE libressl recipe is not current indexed:
>
> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
>
> If I search more broadly:
> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
>
> I see that the OE community does have recipes for:
> gnutls, nss, polarssl (now mbed TLS) and wolfssl.
>
> So what do you think of libressl?
I don't see a pressing reason to accept this into OE-Core right now. The
CVE numbers are bound to be lower for something with less exposure and
the fact most mainline distros aren't using it is also a mild
contraindication.
Certainly a recipe in meta-oe and someone experimenting with it would be
great and I've love to see the feedback and results but I'd be cautious
here for the core right now.
Obviously it will be interesting to see if anyone else has strong
opinions though too.
Cheers,
Richard
next prev parent reply other threads:[~2015-05-05 19:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-04 18:45 Add libreSSL to oe-core? Randy MacLeod
2015-05-05 19:51 ` Richard Purdie [this message]
2015-05-05 20:05 ` Khem Raj
2015-05-05 20:05 ` Otavio Salvador
2015-05-06 15:45 ` Randy MacLeod
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1430855489.8074.10.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=randy.macleod@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox