[oe] Question about ntp build option

Fan, Xin fan.xin at jp.fujitsu.com
Fri Jan 16 02:05:27 UTC 2015 

Hi Paul,

First of all, thanks for your reply.

> There will always be differences in how people expect software to be 
> configured for whatever target and application they are building for, 
> hence why we make it fairly easy to adjust the configuration.
Actually, I had the same opinion with you at the beginning.

But in last December, the ntp published 4 serious vulnerabilities(CVE-2014-9293,
CVE-2014-9294,CVE-2014-9295,CVE-2014-9296). So I think even the display a clock 
function, it should also be protected by openssl for the safety connection.

And I find more packages in Yocto which also use the openssl as the 
default option, so I think ntp also should set the openssl option as default setting.

What do you think about it?

Cheers,
Fan

-----Original Message-----
From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com] 
Sent: Monday, January 05, 2015 11:34 PM
To: Fan, Xin/樊 シン
Cc: openembedded-devel at lists.openembedded.org
Subject: Re: [oe] Question about ntp build option

Hi Fan,

On Friday 28 November 2014 06:05:36 Fan, Xin wrote:
> I wonder that why the ntp uses the without-openssl build option and 
> disables the openssl by default.
> 
> In my opinion, the ntp needs openssl to support public key 
> cryptography and it should be enabled by default.

I set it up this way originally because I didn't figure SSL to be that important for a protocol like ntp for the common case. To my mind, it depends on what you are doing with time on the system which is being synchronised - if you are only using it to display a clock somewhere for the user, the security of the connection to the ntp server isn't really that important vs. avoiding the dependency on another library. If on the other hand you are writing logs or you are using a time-sensitive protocol such as Kerberos on the same system then you might want to consider enabling it.

There will always be differences in how people expect software to be configured for whatever target and application they are building for, hence why we make it fairly easy to adjust the configuration. In this case you only need to set your own PACKAGECONFIG value for ntp to include "openssl" and SSL support will be enabled.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the Openembedded-devel mailing list