Hi, Michal! >>>>> On Tue, 22 Jan 2019 23:07:03 +0100, Michal Suchánek wrote: > On Tue, 22 Jan 2019 12:43:45 -0800 > Lucas De Marchi <lucas.de.marchi@xxxxxxxxx> wrote: >> On Tue, Jan 22, 2019 at 12:03 PM Michal Suchánek <msuchanek@xxxxxxx> >> wrote: >> > >> > On Tue, 22 Jan 2019 22:01:04 +0200 >> > Yauheni Kaliuta <yauheni.kaliuta@xxxxxxxxxx> wrote: >> > >> > > Hi! >> > > >> > > Looks like OpenSUSE took the RFC patch. >> > > >> > > The diverging doesn't sound nice, frankly speaking. >> > >> > Is there an upstream solution? >> > >> > The diverging is caused by lack of support upstream. >> >> Mea culpa for not deciding with which implementation to go for the >> next release. We actually have 3 possible implementations: one with >> openssl, one with gnutls and >> this one lifting the implementation from the kernel to be used in >> userspace. > This is not really about lifting the kernel implementation. It is more > about using a parser generator to generate code that parses the > signature. asn1c is specialized on asn1 encoded data such as the PKCS#7 > signature. >> >> It would be good to know from downstream their preference to weigh in >> the decision. > I think with the size of initrd currently in openSUSE nobody will > notice a crypto library or two added. For other distributions 0.5M size > increase in ramdisk may be more noticeable. > 15M /boot/initrd-4.19.4-1-default > 1.7M /usr/lib64/libgnutls.so.30.22.0 > 437K /usr/lib64/libssl.so.1.1 > Between gnutls and openssl my impression is that openssl is > more likely to be included with other tools anyway in more > featureful ramdisks (ie. kdump over ssh or live system over > https will need SSL). openssl is is also smaller of the two. Fine. I've resent the openssl version. If you know anybody, security related, for review, I would appriciate for it. -- WBR, Yauheni Kaliuta
