Re: Crypto consolidation in debian ?
On Sun, May 1, 2011 at 3:23 AM, Steve Langasek <email@example.com> wrote:
> On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
>> Roger Leigh <firstname.lastname@example.org> writes:
>> > libgcrypt has some horrendous bugs which upstream refuse to fix,
>> > for example the broken behaviour relating to setuid binaries
>> > discussed previously here, and the hard coded behaviour which
>> > makes it unsuitable for use in general programs. See
>> > "libgcrypt brain dead?"
>> > email@example.com
>> > Until these major issues are fixed, it's simply unusable.
>> It appears to be usable by a lot of projects and people, so that seems
>> like an exaggeration. If I have understood Werner correctly, he
>> believes that it is the setuid binaries that are broken and should be
> As a comaintainer of openldap, which links to gnutls in Debian for license
> reasons, I need to vehemently echo Roger here. sudo most certainly isn't
> broken for being setuid, and libgcrypt should definitely not be ripping its
> suid privs out from under it, yet this is what happens if using nss_ldap
> with an SSL-using LDAP server.
> Changing the uid of the calling application is *not* an acceptable side
> effect for a library and I can't imagine how anyone could believe that it
> is. Unfortunately that seems to leave nss_ldap caught between an SSL
> implementation with a perverse license, and an SSL implementation whose
> upstream has perverse ideas about library handling of process state.
It seems fedora is moving to nss for openldap
Have you tested ?