[dev] FRR crypto in Fedora and RHEL
michalruprich at gmail.com
Mon Jul 1 02:42:23 EDT 2019
On 6/25/19 10:03 PM, Donald Sharp wrote:
> Removing code and depending on system libraries are fine from my
> perspective as long as the new library dependencies are for commonly
> available libraries available across all the systems we care about.
> This includes the *bsd's. My assumption is that this is probably
> true, correct?
Of course, I am planning to use openssl or gnutls. Ideally I would like
to make the build optional so that other distributions may choose if
they prefer something else. Is there a specific list of systems that you
care about? I would like to make sure that they all support these libraries.
> If you are willing to do the work, please feel free to reach out to me
> if you have any specific questions. We've tried to document our
> workflow as best as possible in doc/developer/workflow.rst.
> On Tue, Jun 25, 2019 at 11:00 AM Michal Ruprich <michalruprich at gmail.com> wrote:
>> Hi all,
>> now that FRR is making its way to Fedora, perhaps it will eventually
>> make its way to RHEL-8 as well. In both Fedora and RHEL, we are tying to
>> make sure that every package that uses cryptographic algorithms and
>> protocols uses these correctly. Crypto algorithms are not easy to
>> implement and we are trying to encourage developers to use system
>> libraries that have been certified as secure and well implemented. With
>> every crypto algorithm that is implemented from scratch, it brings a
>> potential security risk to the system.
>> In FRR, md5 and sha256 are used as authentication methods for various
>> routing daemons. These are implemented from scratch. This creates an
>> issue for us and it could eventually result in FRR not getting in RHEL-8
>> at all. I would like to ask you, whether you would be willing to use
>> system libraries to implement these algorithms. I will do all the work
>> and provide patches and pull requests, of course. I believe that getting
>> FRR into RHEL-8 is worth it.
>> Michal Ruprich
>> dev mailing list
>> dev at lists.frrouting.org
More information about the dev