[dev] FRR crypto in Fedora and RHEL

Donald Sharp sharpd at cumulusnetworks.com
Tue Jun 25 16:03:29 EDT 2019


Removing code and depending on system libraries are fine from my
perspective as long as the new library dependencies are for commonly
available libraries available across all the systems we care about.
This includes the *bsd's.  My assumption is that this is probably
true, correct?

If you are willing to do the work, please feel free to reach out to me
if you have any specific questions.  We've tried to document our
workflow as best as possible in doc/developer/workflow.rst.

donald

On Tue, Jun 25, 2019 at 11:00 AM Michal Ruprich <michalruprich at gmail.com> wrote:
>
> Hi all,
>
> now that FRR is making its way to Fedora, perhaps it will eventually
> make its way to RHEL-8 as well. In both Fedora and RHEL, we are tying to
> make sure that every package that uses cryptographic algorithms and
> protocols uses these correctly. Crypto algorithms are not easy to
> implement and we are trying to encourage developers to use system
> libraries that have been certified as secure and well implemented. With
> every crypto algorithm that is implemented from scratch, it brings a
> potential security risk to the system.
>
> In FRR, md5 and sha256 are used as authentication methods for various
> routing daemons. These are implemented from scratch. This creates an
> issue for us and it could eventually result in FRR not getting in RHEL-8
> at all. I would like to ask you, whether you would be willing to use
> system libraries to implement these algorithms. I will do all the work
> and provide patches and pull requests, of course. I believe that getting
> FRR into RHEL-8 is worth it.
>
> Regards,
>
> Michal Ruprich
>
>
> _______________________________________________
> dev mailing list
> dev at lists.frrouting.org
> https://lists.frrouting.org/listinfo/dev



More information about the dev mailing list