[yocto-security] Default dropbear cipers should disallow SHA1
richard.purdie at linuxfoundation.org
richard.purdie at linuxfoundation.org
Sat May 11 04:02:50 PDT 2019
On Wed, 2019-05-08 at 13:18 -0500, Joseph Reynolds wrote:
> Richard and Bernhard,
>
> Thanks for your response. I am glad we are having this discussion.
>
>
> To be clear about my purpose:
> The OpenBMC project has decided to remove all uses of DH group1 and
> SHA1
> in KEX and MAC and encryption ciphers because we have security
> conscious
> users. My question is if (a) OpenBMC carries that patch, or (b)
> Yocto/poky or dropbear carries the patch (which means OpenBMC gets
> that
> change from its upstream projects). I just want that answer so I
> know
> where to target this patch (and I understand it's a complicated
> question).
I was asking some questions as we need data to make this decision. I
think right now the approach which would work best for everyone would
be to add the patch to OE-Core but making the configuration conditional
on a PACKAGECONFIG to control it. We may or may not decide to do this
by default, that discussion needs to happen on the OE-Core mailing list
through normal patch review.
Does that give us a way forward?
Cheers,
Richard
More information about the yocto-security
mailing list