[dev] FRR crypto in Fedora and RHEL

Donald Sharp sharpd at cumulusnetworks.com
Mon Jul 1 07:54:21 EDT 2019


Linux, FreeBSD, OpenBSD and NetBSD.  Solaris(Omnios) is `at your own
risk` and OSX is `assembly required with an advanced toolset and a
blowtorch`

thanks!

donald

On Mon, Jul 1, 2019 at 2:42 AM Michal Ruprich <michalruprich at gmail.com> wrote:
>
> Hi Donald,
>
> On 6/25/19 10:03 PM, Donald Sharp wrote:
> > Removing code and depending on system libraries are fine from my
> > perspective as long as the new library dependencies are for commonly
> > available libraries available across all the systems we care about.
> > This includes the *bsd's.  My assumption is that this is probably
> > true, correct?
>
> Of course, I am planning to use openssl or gnutls. Ideally I would like
> to make the build optional so that other distributions may choose if
> they prefer something else. Is there a specific list of systems that you
> care about? I would like to make sure that they all support these libraries.
>
> Thanks.
>
> Michal
>
> >
> > If you are willing to do the work, please feel free to reach out to me
> > if you have any specific questions.  We've tried to document our
> > workflow as best as possible in doc/developer/workflow.rst.
> >
> > donald
> >
> > On Tue, Jun 25, 2019 at 11:00 AM Michal Ruprich <michalruprich at gmail.com> wrote:
> >> Hi all,
> >>
> >> now that FRR is making its way to Fedora, perhaps it will eventually
> >> make its way to RHEL-8 as well. In both Fedora and RHEL, we are tying to
> >> make sure that every package that uses cryptographic algorithms and
> >> protocols uses these correctly. Crypto algorithms are not easy to
> >> implement and we are trying to encourage developers to use system
> >> libraries that have been certified as secure and well implemented. With
> >> every crypto algorithm that is implemented from scratch, it brings a
> >> potential security risk to the system.
> >>
> >> In FRR, md5 and sha256 are used as authentication methods for various
> >> routing daemons. These are implemented from scratch. This creates an
> >> issue for us and it could eventually result in FRR not getting in RHEL-8
> >> at all. I would like to ask you, whether you would be willing to use
> >> system libraries to implement these algorithms. I will do all the work
> >> and provide patches and pull requests, of course. I believe that getting
> >> FRR into RHEL-8 is worth it.
> >>
> >> Regards,
> >>
> >> Michal Ruprich
> >>
> >>
> >> _______________________________________________
> >> dev mailing list
> >> dev at lists.frrouting.org
> >> https://lists.frrouting.org/listinfo/dev



More information about the dev mailing list