On Wed, Nov 20, 2019 at 11:44 AM Ryan Harkin <ryan.har...@linaro.org> wrote: > > Hi Andre, > > On Wed, 20 Nov 2019 at 19:27, Andre McCurdy <armccu...@gmail.com> wrote: >> >> On Wed, Nov 20, 2019 at 11:09 AM Mark Hatle >> <mark.ha...@kernel.crashing.org> wrote: >> > On 11/20/19 1:06 PM, Ryan Harkin wrote: >> > > On Wed, 20 Nov 2019 at 18:36, Mark Hatle <mark.ha...@kernel.crashing.org >> > > <mailto:mark.ha...@kernel.crashing.org>> wrote: >> > > >> > > You know that 1.0.2 and 1.1 APIs are not compatible? So you will >> > > need to update >> > > everything that needs OpenSSL to understand the new API. >> > > >> > > >> > > So far, we're only using it in a shell script to sign an image and later >> > > verify >> > > the image, so I've assumed, perhaps naively, that the API changes won't >> > > matter... >> > >> > Correct, but there may be other components of the system that could be >> > using the >> > API that you are unaware of. On a system as old as Sumo, you will need to >> > take >> > precautions to ensure that ONLY the 1.1x version is being used. (There >> > may be >> > an openssl10 for compatibility that will need to be blacklisted.) >> > >> > > For CVE fixes, typically you would patch 1.0.2p, or update to the >> > > latest >> > > (1.0.2t) as you go. (If you have an OSV, this should be part of the >> > > services >> > > that they offer you.) >> > > >> > > >> > > In my opinion, 1.0.2 will be around for at least another 4-5 years >> > > due to the >> > > number of people actively using it in the world. Until 1.1/3.0 >> > > (won't be a 2.0 >> > > from what I read) exists and has a FIPS-140-2 support available -- >> > > people will >> > > continue to use 1.0.2 and maintain it as necessary for security. >> > > >> > > As an FYI: >> > > http://git.yoctoproject.org/cgit/cgit.cgi/meta-openssl102/ >> > > >> > > This version is for thud, warrior, zeus and master. It is intended >> > > to be >> > > maintained until either 1.0.2 is no longer maintainable -- or the >> > > FIPS-140-2 >> > > needs have been met by OpenSSL. >> > > >> > > >> > > Great, that looks like a better option anyway, assuming it has the >> > > latest fixes >> > > I need, and doesn't give me the same build problem. Thanks for pointing >> > > it out. >> > > I'll give it a go. >> > >> > It's better to work with the Sumo version for your needs. I just posted >> > that as >> > an example of openssl 1.0.2 being needed still by others, even as >> > oe-core/Yocto >> > Project have changed their defaults. >> >> If you want an up to date openssl 1.0.2 recipe which is compatible >> with Sumo, you can find one here: >> >> https://github.com/armcc/meta-plumewifi >> >> I'm only actively testing it with OE 1.6 (Daisy) and OE 2.7 (Warrior) >> but it should work for all versions in between (and if it doesn't I'll >> accept patches or try to fix it). > > > Thanks! It looks similar to the tree Mark Hatle pointed out to me. Two diffs > jump out: > > - Your repo adds the RPROVIDES for openssl-bin to "Be compatible with the > openssl 1.1.x recipe".
Yes. Makes the transition between 1.0.2 and 1.1.x a little easier. > - Mark's repo has two extra patches: > file://0001-Fix-BN_LLONG-breakage.patch \ > file://0001-Fix-DES_LONG-breakage.patch \ Those patches are in my repo too - but only in the master-next branch. They are not required for Sumo. (Since some might regard those patches as a little "dubious" I don't pull them in unless they're necessary). > Regards, > Ryan. -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
