[OE-core] Add libreSSL to oe-core?
Richard Purdie
richard.purdie at linuxfoundation.org
Tue May 5 19:51:29 UTC 2015
On Mon, 2015-05-04 at 14:45 -0400, Randy MacLeod wrote:
> Should oe-core add libressl as an alternative to openssl and other
> OE SSL/TLS implementations?
>
> We had a request from a customer to add LibreSSL so I was wondering
> about the plans of the Yocto community and indeed of the larger Linux
> distro community.
>
> Libressl claims (aims?) to be a more stable, secure TLS implementation
> then OpenSSL. It was initially only for OpenBSD but it supports a
> variety of platforms now:
> http://www.libressl.org/releases.html
> The CVE history enthusiastically summarized on Wikipedia:
> https://en.wikipedia.org/wiki/LibreSSL
> does indicate that libressl has been vulnerable to fewer CVEs than
> openssl so far. I quickly reviewed:
> https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
> but perhaps someone on the list has more direct experience, knowledge
> and/or opinions of implementations of TLS? Note that the libressl devs
> has stated that they have no interest in FIPS 140-2 certification:
> http://marc.info/?l=openbsd-misc&m=139819485423701&w=2
> so that could be a problem for some users.
>
>
> Other than Arch, and openSUSE Factory build, it seems that no
> major linux distro has added libressl:
> http://pkgs.org/search/libressl
>
> An OE libressl recipe is not current indexed:
>
> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=libressl
>
> If I search more broadly:
> http://layers.openembedded.org/layerindex/branch/master/recipes/?q=ssl
>
> I see that the OE community does have recipes for:
> gnutls, nss, polarssl (now mbed TLS) and wolfssl.
>
> So what do you think of libressl?
I don't see a pressing reason to accept this into OE-Core right now. The
CVE numbers are bound to be lower for something with less exposure and
the fact most mainline distros aren't using it is also a mild
contraindication.
Certainly a recipe in meta-oe and someone experimenting with it would be
great and I've love to see the feedback and results but I'd be cautious
here for the core right now.
Obviously it will be interesting to see if anyone else has strong
opinions though too.
Cheers,
Richard
More information about the Openembedded-core
mailing list