Re: libgcrypt brain dead?
On Tue, 9 Mar 2010, Brian May wrote:
Unfortunately, gcrypt is used by gnutls, which is used in ldap, which
is frequently used in PAM and NSS. So this is an issue. There might be
other NSS and PAM modules that use it too.
Indeed, and this causes significant pain for Debian users in a lot of
environments.
* GnuTLS does not negotiate well with some corporate SSL libraries and
the kluge patches applied to products like OpenLDAP don't offer the
ability to turn of TLS 1.1 negotiation
* GnuTLS has other issues (fairly old, but still interesting):
http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
* Couple this with the fact that our OpenLDAP packages are not new
enough for multi-master support, and even one of the maintainers
recommends not using Debian slapd package for 'Production use' -
and you wind up with a variant of 'DLL Hell', but at least dpkg
properly reports all failing/conflicting dependencies.
Note: This would be so much easier if I only needed slapd compiled
against OpenSSL ... but alas, that is not the case :(
What is the solution? Should we go back to using openssl, at least
with libraries such as openldap that are commonly used in pam and nss
modules?
That would certainly help folks who choose to build their servers on
Debian and must operate in a heterogenous environment (mostly of older
crap based on older OpenSSL/OpenLDAP/Apache/etc.)
Or is there another way?
For interoperability, OpenSSL is much better, but there is apparently
still some amount of work to be done on license exemptions (how much?),
and even if that were done, it'd take a bit of work to switch everything
back to it ... if there was concensus
Alternatively, have I got something wrong?
Exactly correct from my PoV :(
--
Rick Nelson
<SomeLamer> what's the difference between chattr and chmod?
<SomeGuru> SomeLamer: man chattr > 1; man chmod > 2; diff -u 1 2 | less
-- Seen on #linux on irc
Reply to: