[OE-core] [PATCH 2/2] bind: disable ecdsa if openssl doesn't support it

Richard Purdie richard.purdie at linuxfoundation.org
Wed Jul 5 14:28:38 UTC 2017


On Wed, 2017-07-05 at 15:58 +0800, kai.kang at windriver.com wrote:
> From: Kai Kang <kai.kang at windriver.com>
> 
> Distro feature 'openssl-no-weak-ciphers' is introduced to disable
> openssl weak ciphers support which include ecdsa. So configure bind
> without ecdsa if openssl doesn't support it.
> 
> Signed-off-by: Kai Kang <kai.kang at windriver.com>
> ---
>  meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> index 7eb79b0..e10cffc 100644
> --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
> @@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('
> DISTRO_FEATURES', 'ipv6', 'ye
>  EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
>                   --disable-devpoll --enable-epoll --with-gost=no \
>                   --with-gssapi=no --with-ecdsa=yes \
> +                 --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES'
> , 'openssl-no-weak-ciphers', 'no', 'yes', d)} \
>                   --sysconfdir=${sysconfdir}/bind \
>                   --with-openssl=${STAGING_LIBDIR}/.. \
>                 "
> 

I think there are a few more questions that need answering about this,
like why ecdsa is considered weak but this patch leaves --with-
ecdsa=yes  in there which is confusing at best.

I do think these are best controlled as individual PACKAGECONFIG
options rather than a distro setting which is ambigous (what is
'weak').

Cheers,

Richard



More information about the Openembedded-core mailing list