Re: Crypto consolidation in debian ?
On Sun, May 1, 2011 at 3:23 AM, Steve Langasek <vorlon@debian.org> wrote:
> On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
>> Roger Leigh <rleigh@codelibre.net> writes:
>
>> > libgcrypt has some horrendous bugs which upstream refuse to fix,
>> > for example the broken behaviour relating to setuid binaries
>> > discussed previously here, and the hard coded behaviour which
>> > makes it unsuitable for use in general programs. See
>> >
>> > "libgcrypt brain dead?"
>> > 3c5cf5261003081534s5202413dw4d93c80db1a30150@mail.gmail.com
>
>> > Until these major issues are fixed, it's simply unusable.
>
>> It appears to be usable by a lot of projects and people, so that seems
>> like an exaggeration. If I have understood Werner correctly, he
>> believes that it is the setuid binaries that are broken and should be
>> fixed.
>
> As a comaintainer of openldap, which links to gnutls in Debian for license
> reasons, I need to vehemently echo Roger here. sudo most certainly isn't
> broken for being setuid, and libgcrypt should definitely not be ripping its
> suid privs out from under it, yet this is what happens if using nss_ldap
> with an SSL-using LDAP server.
>
> http://bugs.debian.org/566351
> https://bugs.launchpad.net/bugs/423252
>
> Changing the uid of the calling application is *not* an acceptable side
> effect for a library and I can't imagine how anyone could believe that it
> is. Unfortunately that seems to leave nss_ldap caught between an SSL
> implementation with a perverse license, and an SSL implementation whose
> upstream has perverse ideas about library handling of process state.
It seems fedora is moving to nss for openldap
https://fedoraproject.org/wiki/Test_Day:2010-10-14_OpenLDAP/NSS
Have you tested ?
Bastien
Reply to: