[Buildroot] [V3 2/2] dropbear: unbundle libtomath & libtomcrypt
francois.perrad at gadz.org
Fri Mar 23 04:15:43 UTC 2018
2018-03-22 6:36 GMT+01:00 Baruch Siach <baruch at tkos.co.il>:
> Hi Thomas,
> On Wed, Mar 21, 2018 at 09:22:55PM +0100, Thomas Petazzoni wrote:
> > On Wed, 21 Mar 2018 22:16:08 +0200, Baruch Siach wrote:
> > > Here is my full commit on v2:
> > >
> > > Since both libraries are static only, this does not reduce the binary
> size. On
> > > the other hand, bundled libraries are more likely to work correctly
> with any
> > > give version of dropbear. The only benefit of using external libraries
> is when
> > > there is a security update to the libraries. But unless there is a
> known issue
> > > now, I'm not sure it's worth it.
> > >
> > > Do you see other reasons to prefer unbundling?
> > Well, exactly the one you mention: security issues.
> > In fact, I think you're putting the problem in the wrong direction. I
> > would rather say: "Unless there is a good reason to not use external
> > libraries, we should use external libraries rather than bundled ones".
By default, dropbear prefers unbundled libtom, see
> I think we should be more careful in this case. Crypto primitives are
> "hazmat". dropbear is an actively maintained project. I think we can
> dropbear to react immediately when there is a known issue with the crypto
> libraries that affects the dropbear use case. In my opinion, the danger of
> crypto libraries version mismatch resulting from untested crypto library
> update, outweighs the danger of known vulnerability window in a dropbear
> bundled crypto library.
>  https://cryptography.io/en/latest/hazmat/primitives/
> http://baruch.siach.name/blog/ ~. .~ Tk Open
> - baruch at tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il -
> buildroot mailing list
> buildroot at busybox.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the buildroot