From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 478CC82174 for ; Thu, 23 Feb 2017 14:09:36 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CE9E43D945; Thu, 23 Feb 2017 22:09:36 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-116-58.phx2.redhat.com [10.3.116.58]) by smtp.corp.redhat.com (Postfix) with ESMTP id B16A22D654; Thu, 23 Feb 2017 22:09:34 +0000 (UTC) To: edk2-devel-01 References: <20170223215744.7293-1-lersek@redhat.com> Cc: Ruiyu Ni , Ard Biesheuvel , Ting Ye , Jordan Justen , Jiaxin Wu , Gary Lin , Qin Long , Tomas Hoger From: Laszlo Ersek Message-ID: Date: Thu, 23 Feb 2017 23:09:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: <20170223215744.7293-1-lersek@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 23 Feb 2017 22:09:36 +0000 (UTC) Subject: Re: [URGENT-ish PATCH 0/5] ArmVirt- Nt32- Ovmf- CryptoPkg: conditionalize libssl presence in OpensslLib X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2017 22:09:36 -0000 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 02/23/17 22:57, Laszlo Ersek wrote: > In commit 32387e0081db ("CryptoPkg: Enable ssl build in OpensslLib > directly", 2016-12-14), we enabled libssl functionality in > CryptoPkg/OpensslLib unconditionally. > > While that's real convenient, it is also overkill for platforms (or > platform builds) that don't want TLS. The impact (beyond wasted build > time) is that when the next vulnerability comes out that affects the > libssl subset of OpenSSL, security teams all around will look at build > logs and INF files, see the libssl files being built, and get nervous -- > without a good reason for such builds that don't actually *use* TLS. > > Let's make this easier on them (and thereby on ourselves!), and > introduce an OpensslLibNoSsl instance, which excludes libssl. Public repo and branch: https://github.com/lersek/edk2.git conditionalize-ssl