[OE-core] [warrior][PATCH] dropbear: new feature: disable-weak-ciphers
richard.purdie at linuxfoundation.org
richard.purdie at linuxfoundation.org
Tue Jul 16 13:15:38 UTC 2019
On Mon, 2019-07-15 at 16:08 -0500, Joseph Reynolds wrote:
> On 7/15/19 3:58 PM, Adrian Bunk wrote:
> > On Mon, Jul 15, 2019 at 03:38:57PM -0500, Joseph Reynolds wrote:
> > > Enhances dropbear with a new feature "disable-weak-ciphers", on
> > > by default.
> > > This feature disables all CBC, SHA1, and diffie-hellman group1
> > > ciphers in
> > > the dropbear ssh server and client.
> > >
> > > Disable this feature if you need to connect to the ssh server
> > > from older
> > > clients. Additional customization can be done with
> > > local_options.h as usual.
> > > ...
> > Changing the default behaviour in a stable series does not sound
> > appropriate to me.
>
> Although this patch is for security, it is a config change and not a
> fix. I understand if you don't want to add it to a release branch,
> and I am am okay with that. I just want to know one way or the
> other.
> If this is the answer, we'll put the patch into our downstream
> project (github.com/openbmc/openbmc branch=warrior) ... waiting for
> more opinions ....
Whilst I understand the rationale behind this, our policy for stable
branches is clear, we shouldn't change behaviour there unless its for a
significant security issue. This is more prevention rather than a known
large issue.
So unless I hear strong support for adding it, I think we probably just
move forward with it in master.
The patch is here if anyone does want it.
(Armin as the stable branch maintainer does also have a say in this,
I'm not sure what his opinion is).
Cheers,
Richard
More information about the Openembedded-core
mailing list