From: Laszlo Ersek <lersek@redhat.com>
To: edk2-devel-01 <edk2-devel@ml01.01.org>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Ting Ye <ting.ye@intel.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Jiaxin Wu <jiaxin.wu@intel.com>, Gary Lin <glin@suse.com>,
Qin Long <qin.long@intel.com>, Tomas Hoger <thoger@redhat.com>
Subject: Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib
Date: Thu, 23 Feb 2017 23:09:32 +0100 [thread overview]
Message-ID: <b0f09820-7794-3a5c-2834-2cc6ee0bc1ee@redhat.com> (raw)
In-Reply-To: <20170223215744.7293-1-lersek@redhat.com>
On 02/23/17 22:57, Laszlo Ersek wrote:
> In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib
> directly", 2016-12-14), we enabled libssl functionality in
> CryptoPkg/OpensslLib unconditionally.
>
> While that's real convenient, it is also overkill for platforms (or
> platform builds) that don't want TLS. The impact (beyond wasted build
> time) is that when the next vulnerability comes out that affects the
> libssl subset of OpenSSL, security teams all around will look at build
> logs and INF files, see the libssl files being built, and get nervous --
> without a good reason for such builds that don't actually *use* TLS.
>
> Let's make this easier on them (and thereby on ourselves!), and
> introduce an OpensslLibNoSsl instance, which excludes libssl.
Public repo and branch:
https://github.com/lersek/edk2.git conditionalize-ssl
next prev parent reply other threads:[~2017-02-23 22:09 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-23 21:57 [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Laszlo Ersek
2017-02-23 21:57 ` [PATCH 1/5] CryptoPkg/OpensslLib: refresh OpensslLib.inf, opensslconf.h after 32387e00 Laszlo Ersek
2017-02-23 21:57 ` [PATCH 2/5] CryptoPkg/OpensslLib: introduce OpensslLibNoSsl instance Laszlo Ersek
2017-02-23 21:57 ` [PATCH 3/5] ArmVirtPkg: resolve OpensslLib to OpensslLibNoSsl Laszlo Ersek
2017-02-23 22:26 ` Ard Biesheuvel
2017-02-23 21:57 ` [PATCH 4/5] Nt32Pkg: exclude libssl functionality from OpensslLib if TLS_ENABLE=FALSE Laszlo Ersek
2017-02-24 4:09 ` Ni, Ruiyu
[not found] ` <895558F6EA4E3B41AC93A00D163B72741629D991@SHSMSX103.ccr.corp.intel.com>
2017-02-24 9:46 ` Laszlo Ersek
2017-02-23 21:57 ` [PATCH 5/5] OvmfPkg: " Laszlo Ersek
2017-02-24 6:15 ` Gary Lin
2017-02-23 22:09 ` Laszlo Ersek [this message]
2017-02-23 22:25 ` [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib Ard Biesheuvel
2017-02-24 3:32 ` Long, Qin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b0f09820-7794-3a5c-2834-2cc6ee0bc1ee@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox