From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: kai.kang@windriver.com, openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it
Date: Wed, 05 Jul 2017 15:28:38 +0100 [thread overview]
Message-ID: <1499264918.9571.180.camel@linuxfoundation.org> (raw)
In-Reply-To: <35164d05e9ab2505c931424d4b7c7b9fea9c65f8.1499241206.git.kai.kang@windriver.com>
On Wed, 2017-07-05 at 15:58 +0800, kai.kang@windriver.com wrote:
> From: Kai Kang <kai.kang@windriver.com>
>
> Distro feature 'openssl-no-weak-ciphers' is introduced to disable
> openssl weak ciphers support which include ecdsa. So configure bind
> without ecdsa if openssl doesn't support it.
>
> Signed-off-by: Kai Kang <kai.kang@windriver.com>
> ---
> meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> index 7eb79b0..e10cffc 100644
> --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> @@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('
> DISTRO_FEATURES', 'ipv6', 'ye
> EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
> --disable-devpoll --enable-epoll --with-gost=no \
> --with-gssapi=no --with-ecdsa=yes \
> + --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES'
> , 'openssl-no-weak-ciphers', 'no', 'yes', d)} \
> --sysconfdir=${sysconfdir}/bind \
> --with-openssl=${STAGING_LIBDIR}/.. \
> "
>
I think there are a few more questions that need answering about this,
like why ecdsa is considered weak but this patch leaves --with-
ecdsa=yes in there which is confusing at best.
I do think these are best controlled as individual PACKAGECONFIG
options rather than a distro setting which is ambigous (what is
'weak').
Cheers,
Richard
next prev parent reply other threads:[~2017-07-05 14:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-05 7:58 [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers kai.kang
2017-07-05 7:58 ` [PATCH 1/2] openssl: disable weak ciphers kai.kang
2017-07-05 10:24 ` Pascal Bach
2017-07-05 10:40 ` Burton, Ross
2017-07-05 7:58 ` [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it kai.kang
2017-07-05 14:28 ` Richard Purdie [this message]
2017-07-06 1:44 ` Kang Kai
2017-07-05 14:38 ` [PATCH 0/2] Introduce a distro feature openssl-no-weak-ciphers Khem Raj
2017-07-05 15:15 ` Burton, Ross
2017-07-06 2:00 ` Kang Kai
2017-07-17 13:20 ` Alexander Kanavin
2017-07-18 2:09 ` Kang Kai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1499264918.9571.180.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=kai.kang@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox