[OE-core] Add libreSSL to oe-core?

Khem Raj raj.khem at gmail.com
Tue May 5 20:05:26 UTC 2015


On May 5, 2015 12:52 PM, "Richard Purdie" <
richard.purdie at linuxfoundation.org> wrote:
>
> On Mon, 2015-05-04 at 14:45 -0400, Randy MacLeod wrote:
> > Should oe-core add libressl as an alternative to openssl and other
> > OE SSL/TLS implementations?
> >
> > We had a request from a customer to add LibreSSL so I was wondering
> > about the plans of the Yocto community and indeed of the larger Linux
> > distro community.
> >
> > Libressl claims (aims?) to be  a more stable, secure TLS implementation
> > then OpenSSL. It was initially only for OpenBSD but it supports a
> > variety of platforms now:
> >     http://www.libressl.org/releases.html
> > The CVE history enthusiastically summarized on Wikipedia:
> >     https://en.wikipedia.org/wiki/LibreSSL
> > does indicate that libressl has been vulnerable to fewer CVEs than
> > openssl so far. I quickly reviewed:
> >     https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
> > but perhaps someone on the list has more direct experience, knowledge
> > and/or opinions of implementations of TLS? Note that the libressl devs
> > has stated that they have no interest in FIPS 140-2 certification:
> >     http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
> > so that could be a problem for some users.
> >
> >
> > Other than Arch, and openSUSE Factory build, it seems that no
> > major linux distro has added libressl:
> >     http://pkgs.org/search/libressl
> >
> > An OE libressl recipe is not current indexed:
> >
> >
http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
> >
> > If I search more broadly:
> >
http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
> >
> > I see that the OE community does have recipes for:
> >    gnutls, nss, polarssl (now mbed TLS) and wolfssl.
> >
> > So what do you think of libressl?
>
> I don't see a pressing reason to accept this into OE-Core right now.

Me neither

The
> CVE numbers are bound to be lower for something with less exposure and
> the fact most mainline distros aren't using it is also a mild
> contraindication.
>
> Certainly a recipe in meta-oe and someone experimenting with it would be
> great and I've love to see the feedback and results but I'd be cautious
> here for the core right now.
>
> Obviously it will be interesting to see if anyone else has strong
> opinions though too.
>
> Cheers,
>
> Richard
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20150505/90081cb1/attachment-0002.html>


More information about the Openembedded-core mailing list