* Add libreSSL to oe-core?
@ 2015-05-04 18:45 Randy MacLeod
2015-05-05 19:51 ` Richard Purdie
0 siblings, 1 reply; 5+ messages in thread
From: Randy MacLeod @ 2015-05-04 18:45 UTC (permalink / raw)
To: Patches and discussions about the oe-core layer
Should oe-core add libressl as an alternative to openssl and other
OE SSL/TLS implementations?
We had a request from a customer to add LibreSSL so I was wondering
about the plans of the Yocto community and indeed of the larger Linux
distro community.
Libressl claims (aims?) to be a more stable, secure TLS implementation
then OpenSSL. It was initially only for OpenBSD but it supports a
variety of platforms now:
http://www.libressl.org/releases.html
The CVE history enthusiastically summarized on Wikipedia:
https://en.wikipedia.org/wiki/LibreSSL
does indicate that libressl has been vulnerable to fewer CVEs than
openssl so far. I quickly reviewed:
https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
but perhaps someone on the list has more direct experience, knowledge
and/or opinions of implementations of TLS? Note that the libressl devs
has stated that they have no interest in FIPS 140-2 certification:
http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
so that could be a problem for some users.
Other than Arch, and openSUSE Factory build, it seems that no
major linux distro has added libressl:
http://pkgs.org/search/libressl
An OE libressl recipe is not current indexed:
http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
If I search more broadly:
http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
I see that the OE community does have recipes for:
gnutls, nss, polarssl (now mbed TLS) and wolfssl.
So what do you think of libressl?
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON,
Canada, K2K 2W5
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Add libreSSL to oe-core?
2015-05-04 18:45 Add libreSSL to oe-core? Randy MacLeod
@ 2015-05-05 19:51 ` Richard Purdie
2015-05-05 20:05 ` Khem Raj
2015-05-05 20:05 ` Otavio Salvador
0 siblings, 2 replies; 5+ messages in thread
From: Richard Purdie @ 2015-05-05 19:51 UTC (permalink / raw)
To: Randy MacLeod; +Cc: Patches and discussions about the oe-core layer
On Mon, 2015-05-04 at 14:45 -0400, Randy MacLeod wrote:
> Should oe-core add libressl as an alternative to openssl and other
> OE SSL/TLS implementations?
>
> We had a request from a customer to add LibreSSL so I was wondering
> about the plans of the Yocto community and indeed of the larger Linux
> distro community.
>
> Libressl claims (aims?) to be a more stable, secure TLS implementation
> then OpenSSL. It was initially only for OpenBSD but it supports a
> variety of platforms now:
> http://www.libressl.org/releases.html
> The CVE history enthusiastically summarized on Wikipedia:
> https://en.wikipedia.org/wiki/LibreSSL
> does indicate that libressl has been vulnerable to fewer CVEs than
> openssl so far. I quickly reviewed:
> https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
> but perhaps someone on the list has more direct experience, knowledge
> and/or opinions of implementations of TLS? Note that the libressl devs
> has stated that they have no interest in FIPS 140-2 certification:
> http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
> so that could be a problem for some users.
>
>
> Other than Arch, and openSUSE Factory build, it seems that no
> major linux distro has added libressl:
> http://pkgs.org/search/libressl
>
> An OE libressl recipe is not current indexed:
>
> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
>
> If I search more broadly:
> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
>
> I see that the OE community does have recipes for:
> gnutls, nss, polarssl (now mbed TLS) and wolfssl.
>
> So what do you think of libressl?
I don't see a pressing reason to accept this into OE-Core right now. The
CVE numbers are bound to be lower for something with less exposure and
the fact most mainline distros aren't using it is also a mild
contraindication.
Certainly a recipe in meta-oe and someone experimenting with it would be
great and I've love to see the feedback and results but I'd be cautious
here for the core right now.
Obviously it will be interesting to see if anyone else has strong
opinions though too.
Cheers,
Richard
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Add libreSSL to oe-core?
2015-05-05 19:51 ` Richard Purdie
@ 2015-05-05 20:05 ` Khem Raj
2015-05-05 20:05 ` Otavio Salvador
1 sibling, 0 replies; 5+ messages in thread
From: Khem Raj @ 2015-05-05 20:05 UTC (permalink / raw)
To: Richard Purdie; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 2648 bytes --]
On May 5, 2015 12:52 PM, "Richard Purdie" <
richard.purdie@linuxfoundation.org> wrote:
>
> On Mon, 2015-05-04 at 14:45 -0400, Randy MacLeod wrote:
> > Should oe-core add libressl as an alternative to openssl and other
> > OE SSL/TLS implementations?
> >
> > We had a request from a customer to add LibreSSL so I was wondering
> > about the plans of the Yocto community and indeed of the larger Linux
> > distro community.
> >
> > Libressl claims (aims?) to be a more stable, secure TLS implementation
> > then OpenSSL. It was initially only for OpenBSD but it supports a
> > variety of platforms now:
> > http://www.libressl.org/releases.html
> > The CVE history enthusiastically summarized on Wikipedia:
> > https://en.wikipedia.org/wiki/LibreSSL
> > does indicate that libressl has been vulnerable to fewer CVEs than
> > openssl so far. I quickly reviewed:
> > https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
> > but perhaps someone on the list has more direct experience, knowledge
> > and/or opinions of implementations of TLS? Note that the libressl devs
> > has stated that they have no interest in FIPS 140-2 certification:
> > http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
> > so that could be a problem for some users.
> >
> >
> > Other than Arch, and openSUSE Factory build, it seems that no
> > major linux distro has added libressl:
> > http://pkgs.org/search/libressl
> >
> > An OE libressl recipe is not current indexed:
> >
> >
http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
> >
> > If I search more broadly:
> >
http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
> >
> > I see that the OE community does have recipes for:
> > gnutls, nss, polarssl (now mbed TLS) and wolfssl.
> >
> > So what do you think of libressl?
>
> I don't see a pressing reason to accept this into OE-Core right now.
Me neither
The
> CVE numbers are bound to be lower for something with less exposure and
> the fact most mainline distros aren't using it is also a mild
> contraindication.
>
> Certainly a recipe in meta-oe and someone experimenting with it would be
> great and I've love to see the feedback and results but I'd be cautious
> here for the core right now.
>
> Obviously it will be interesting to see if anyone else has strong
> opinions though too.
>
> Cheers,
>
> Richard
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
[-- Attachment #2: Type: text/html, Size: 3995 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Add libreSSL to oe-core?
2015-05-05 19:51 ` Richard Purdie
2015-05-05 20:05 ` Khem Raj
@ 2015-05-05 20:05 ` Otavio Salvador
2015-05-06 15:45 ` Randy MacLeod
1 sibling, 1 reply; 5+ messages in thread
From: Otavio Salvador @ 2015-05-05 20:05 UTC (permalink / raw)
To: Richard Purdie; +Cc: Patches and discussions about the oe-core layer
On Tue, May 5, 2015 at 4:51 PM, Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
> On Mon, 2015-05-04 at 14:45 -0400, Randy MacLeod wrote:
>> Should oe-core add libressl as an alternative to openssl and other
>> OE SSL/TLS implementations?
>>
>> We had a request from a customer to add LibreSSL so I was wondering
>> about the plans of the Yocto community and indeed of the larger Linux
>> distro community.
>>
>> Libressl claims (aims?) to be a more stable, secure TLS implementation
>> then OpenSSL. It was initially only for OpenBSD but it supports a
>> variety of platforms now:
>> http://www.libressl.org/releases.html
>> The CVE history enthusiastically summarized on Wikipedia:
>> https://en.wikipedia.org/wiki/LibreSSL
>> does indicate that libressl has been vulnerable to fewer CVEs than
>> openssl so far. I quickly reviewed:
>> https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
>> but perhaps someone on the list has more direct experience, knowledge
>> and/or opinions of implementations of TLS? Note that the libressl devs
>> has stated that they have no interest in FIPS 140-2 certification:
>> http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
>> so that could be a problem for some users.
>>
>>
>> Other than Arch, and openSUSE Factory build, it seems that no
>> major linux distro has added libressl:
>> http://pkgs.org/search/libressl
>>
>> An OE libressl recipe is not current indexed:
>>
>> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
>>
>> If I search more broadly:
>> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
>>
>> I see that the OE community does have recipes for:
>> gnutls, nss, polarssl (now mbed TLS) and wolfssl.
>>
>> So what do you think of libressl?
>
> I don't see a pressing reason to accept this into OE-Core right now. The
> CVE numbers are bound to be lower for something with less exposure and
> the fact most mainline distros aren't using it is also a mild
> contraindication.
>
> Certainly a recipe in meta-oe and someone experimenting with it would be
> great and I've love to see the feedback and results but I'd be cautious
> here for the core right now.
>
> Obviously it will be interesting to see if anyone else has strong
> opinions though too.
I share this very same view. Adding this to meta-oe seems more logical for now.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Add libreSSL to oe-core?
2015-05-05 20:05 ` Otavio Salvador
@ 2015-05-06 15:45 ` Randy MacLeod
0 siblings, 0 replies; 5+ messages in thread
From: Randy MacLeod @ 2015-05-06 15:45 UTC (permalink / raw)
To: Otavio Salvador, Richard Purdie
Cc: Patches and discussions about the oe-core layer
On 2015-05-05 04:05 PM, Otavio Salvador wrote:
> On Tue, May 5, 2015 at 4:51 PM, Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
>> On Mon, 2015-05-04 at 14:45 -0400, Randy MacLeod wrote:
...
>> Certainly a recipe in meta-oe and someone experimenting with it would be
>> great and I've love to see the feedback and results but I'd be cautious
>> here for the core right now.
>>
>> Obviously it will be interesting to see if anyone else has strong
>> opinions though too.
>
> I share this very same view. Adding this to meta-oe seems more logical for now.
>
Thanks for the comments. That's my opinion as well so we'll
consider adding libressl to meta-oe but given what I've learned
so far, it's a low priority.
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON,
Canada, K2K 2W5
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-05-06 15:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-05-04 18:45 Add libreSSL to oe-core? Randy MacLeod
2015-05-05 19:51 ` Richard Purdie
2015-05-05 20:05 ` Khem Raj
2015-05-05 20:05 ` Otavio Salvador
2015-05-06 15:45 ` Randy MacLeod
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox