[OE-core] Add libreSSL to oe-core?
Otavio Salvador
otavio at ossystems.com.br
Tue May 5 20:05:30 UTC 2015
On Tue, May 5, 2015 at 4:51 PM, Richard Purdie
<richard.purdie at linuxfoundation.org> wrote:
> On Mon, 2015-05-04 at 14:45 -0400, Randy MacLeod wrote:
>> Should oe-core add libressl as an alternative to openssl and other
>> OE SSL/TLS implementations?
>>
>> We had a request from a customer to add LibreSSL so I was wondering
>> about the plans of the Yocto community and indeed of the larger Linux
>> distro community.
>>
>> Libressl claims (aims?) to be a more stable, secure TLS implementation
>> then OpenSSL. It was initially only for OpenBSD but it supports a
>> variety of platforms now:
>> http://www.libressl.org/releases.html
>> The CVE history enthusiastically summarized on Wikipedia:
>> https://en.wikipedia.org/wiki/LibreSSL
>> does indicate that libressl has been vulnerable to fewer CVEs than
>> openssl so far. I quickly reviewed:
>> https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
>> but perhaps someone on the list has more direct experience, knowledge
>> and/or opinions of implementations of TLS? Note that the libressl devs
>> has stated that they have no interest in FIPS 140-2 certification:
>> http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
>> so that could be a problem for some users.
>>
>>
>> Other than Arch, and openSUSE Factory build, it seems that no
>> major linux distro has added libressl:
>> http://pkgs.org/search/libressl
>>
>> An OE libressl recipe is not current indexed:
>>
>> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
>>
>> If I search more broadly:
>> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
>>
>> I see that the OE community does have recipes for:
>> gnutls, nss, polarssl (now mbed TLS) and wolfssl.
>>
>> So what do you think of libressl?
>
> I don't see a pressing reason to accept this into OE-Core right now. The
> CVE numbers are bound to be lower for something with less exposure and
> the fact most mainline distros aren't using it is also a mild
> contraindication.
>
> Certainly a recipe in meta-oe and someone experimenting with it would be
> great and I've love to see the feedback and results but I'd be cautious
> here for the core right now.
>
> Obviously it will be interesting to see if anyone else has strong
> opinions though too.
I share this very same view. Adding this to meta-oe seems more logical for now.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
More information about the Openembedded-core
mailing list