* [PATCH 1/2] openssh: make OpenSSL optional
@ 2018-09-20 13:16 Max Kellermann
2018-09-20 13:16 ` [PATCH 2/2] libsolv: make rpm optional Max Kellermann
2018-09-20 14:11 ` [PATCH 1/2] openssh: make OpenSSL optional Alexander Kanavin
0 siblings, 2 replies; 4+ messages in thread
From: Max Kellermann @ 2018-09-20 13:16 UTC (permalink / raw)
To: openembedded-core; +Cc: Max Kellermann
From: Max Kellermann <max.kellermann@gmail.com>
Without OpenSSL, OpenSSH can still do ed25519, which is enough for
many users; and it saves a rather heavy dependency.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
---
meta/recipes-connectivity/openssh/openssh_7.8p1.bb | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-connectivity/openssh/openssh_7.8p1.bb b/meta/recipes-connectivity/openssh/openssh_7.8p1.bb
index f4b295f2df..6dfa2cfd2c 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.8p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.8p1.bb
@@ -8,8 +8,7 @@ SECTION = "console/network"
LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
-# openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
-DEPENDS = "zlib openssl10"
+DEPENDS = "zlib"
DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
@@ -71,6 +70,10 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
# We don't want to depend on libblockfile
CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
+PACKAGECONFIG ??= "openssl"
+# openssl 1.1 patches are proposed at https://github.com/openssh/openssh-portable/pull/48
+PACKAGECONFIG[openssl] = ",--without-openssl,openssl10"
+
do_configure_prepend () {
export LD="${CC}"
install -m 0644 ${WORKDIR}/sshd_config ${B}/
--
2.18.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] libsolv: make rpm optional
2018-09-20 13:16 [PATCH 1/2] openssh: make OpenSSL optional Max Kellermann
@ 2018-09-20 13:16 ` Max Kellermann
2018-09-20 14:11 ` [PATCH 1/2] openssh: make OpenSSL optional Alexander Kanavin
1 sibling, 0 replies; 4+ messages in thread
From: Max Kellermann @ 2018-09-20 13:16 UTC (permalink / raw)
To: openembedded-core; +Cc: Max Kellermann
From: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
---
meta/recipes-extended/libsolv/libsolv_0.6.35.bb | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-extended/libsolv/libsolv_0.6.35.bb b/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
index 0956453022..12dfc5d3a2 100644
--- a/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
+++ b/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
@@ -5,7 +5,7 @@ SECTION = "devel"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8"
-DEPENDS = "expat zlib rpm"
+DEPENDS = "expat zlib"
SRC_URI = "git://github.com/openSUSE/libsolv.git"
SRC_URI_append_libc-musl = " file://0001-Add-fallback-fopencookie-implementation.patch \
@@ -19,7 +19,10 @@ S = "${WORKDIR}/git"
inherit cmake
-EXTRA_OECMAKE = "-DLIB=${baselib} -DMULTI_SEMANTICS=ON -DENABLE_RPMMD=ON -DENABLE_RPMDB=ON -DENABLE_COMPLEX_DEPS=ON"
+PACKAGECONFIG ??= "rpm"
+PACKAGECONFIG[rpm] = "-DENABLE_RPMMD=ON -DENABLE_RPMDB=ON,,rpm"
+
+EXTRA_OECMAKE = "-DLIB=${baselib} -DMULTI_SEMANTICS=ON -DENABLE_COMPLEX_DEPS=ON"
PACKAGES =+ "${PN}-tools ${PN}ext"
--
2.18.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] openssh: make OpenSSL optional
2018-09-20 13:16 [PATCH 1/2] openssh: make OpenSSL optional Max Kellermann
2018-09-20 13:16 ` [PATCH 2/2] libsolv: make rpm optional Max Kellermann
@ 2018-09-20 14:11 ` Alexander Kanavin
2018-09-20 14:22 ` Max Kellermann
1 sibling, 1 reply; 4+ messages in thread
From: Alexander Kanavin @ 2018-09-20 14:11 UTC (permalink / raw)
To: Max Kellermann; +Cc: Max Kellermann, OE-core
2018-09-20 15:16 GMT+02:00 Max Kellermann <max+openembedded@blarg.de>:
> Without OpenSSL, OpenSSH can still do ed25519, which is enough for
> many users; and it saves a rather heavy dependency.
I don't object to the patch (except it would need to be rebased on top
of the openssl 1.1 patch), but I would like to know a bit more.
What is ed25519? Can a client that supports only that connect to most
or all servers? Can a server that supports only that accept
connections from most or all clients? Are any features lost?
Alex
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] openssh: make OpenSSL optional
2018-09-20 14:11 ` [PATCH 1/2] openssh: make OpenSSL optional Alexander Kanavin
@ 2018-09-20 14:22 ` Max Kellermann
0 siblings, 0 replies; 4+ messages in thread
From: Max Kellermann @ 2018-09-20 14:22 UTC (permalink / raw)
To: Alexander Kanavin; +Cc: OE-core
On 2018/09/20 16:11, Alexander Kanavin <alex.kanavin@gmail.com> wrote:
> I don't object to the patch (except it would need to be rebased on top
> of the openssl 1.1 patch), but I would like to know a bit more.
Ok, I'll do that once that one is merged.
> What is ed25519? Can a client that supports only that connect to most
> or all servers? Can a server that supports only that accept
> connections from most or all clients? Are any features lost?
It is a newer public key type, supported since OpenSSH 6.5
(https://www.openssh.com/txt/release-6.5). The crypto math behind it
was designed by Daniel Bernstein (https://ed25519.cr.yp.to/).
Usually, OpenSSH uses OpenSSL for some of its crypto, but it can use
ed25519 natively without OpenSSL. This means you can eliminate
OpenSSL completely in some images, without having to omit OpenSSH as
well.
The downside is that a binary compiled without OpenSSL understands
only ed25519 keys, and nothing else. That means the server will only
be able to accept ed25519 public keys, but no RSA/DSA. That's ok for
some people who will only use ed25519 anyway (like me). For others,
it might be a good reason to switch to ed25519 (which is allegedly
more secure than RSA).
Max
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-09-20 14:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-20 13:16 [PATCH 1/2] openssh: make OpenSSL optional Max Kellermann
2018-09-20 13:16 ` [PATCH 2/2] libsolv: make rpm optional Max Kellermann
2018-09-20 14:11 ` [PATCH 1/2] openssh: make OpenSSL optional Alexander Kanavin
2018-09-20 14:22 ` Max Kellermann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.