On 2017年07月05日 22:28, Richard Purdie wrote:
On Wed, 2017-07-05 at 15:58 +0800, [email protected] wrote:
From: Kai Kang <[email protected]>
Distro feature 'openssl-no-weak-ciphers' is introduced to disable
openssl weak ciphers support which include ecdsa. So configure bind
without ecdsa if openssl doesn't support it.
Signed-off-by: Kai Kang <[email protected]>
---
meta/recipes-connectivity/bind/bind_9.10.3-P3.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 7eb79b0..e10cffc 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -41,6 +41,7 @@ ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('
DISTRO_FEATURES', 'ipv6', 'ye
EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
--disable-devpoll --enable-epoll --with-gost=no \
--with-gssapi=no --with-ecdsa=yes \
+ --with-ecdsa=${@bb.utils.contains('DISTRO_FEATURES'
, 'openssl-no-weak-ciphers', 'no', 'yes', d)} \
--sysconfdir=${sysconfdir}/bind \
--with-openssl=${STAGING_LIBDIR}/.. \
"
I think there are a few more questions that need answering about this,
like why ecdsa is considered weak but this patch leaves --with-
ecdsa=yes in there which is confusing at best.
I do think these are best controlled as individual PACKAGECONFIG
options rather than a distro setting which is ambigous (what is
'weak').
Maybe I didn't express clearly. The original requirement is that disable
weak ciphers(maybe we should discuss the scope of weak ciphers)
for openssl. And then other packages depends on openssl. For bind, if
openssl configured with 'no-ecdsa', bind will compile failed. So add
a distro feature to sync openssl and other packages depends on it.
Thanks,
Kai
Cheers,
Richard
--
Regards,
Neil | Kai Kang
--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
