[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libgcrypt brain dead?

On Tue, 9 Mar 2010, Brian May wrote:

Unfortunately, gcrypt is used by gnutls, which is used in ldap, which
is frequently used in PAM and NSS. So this is an issue. There might be
other NSS and PAM modules that use it too.

Indeed, and this causes significant pain for Debian users in a lot of
* GnuTLS does not negotiate well with some corporate SSL libraries and
  the kluge patches applied to products like OpenLDAP don't offer the
  ability to turn of TLS 1.1 negotiation

* GnuTLS has other issues (fairly old, but still interesting):

* Couple this with the fact that our OpenLDAP packages are not new
  enough for multi-master support, and even one of the maintainers
  recommends not using Debian slapd package for 'Production use' -
  and you wind up with a variant of 'DLL Hell', but at least dpkg
  properly reports all failing/conflicting dependencies.

  Note: This would be so much easier if I only needed slapd compiled
  against OpenSSL ... but alas, that is not the case :(

What is the solution? Should we go back to using openssl, at least
with libraries such as openldap that are commonly used in pam and nss

That would certainly help folks who choose to build their servers on
Debian and must operate in a heterogenous environment (mostly of older
crap based on older OpenSSL/OpenLDAP/Apache/etc.)

Or is there another way?

For interoperability, OpenSSL is much better, but there is apparently
still some amount of work to be done on license exemptions (how much?),
and even if that were done, it'd take a bit of work to switch everything
back to it ... if there was concensus

Alternatively, have I got something wrong?

Exactly correct from my PoV :(

Rick Nelson
<SomeLamer> what's the difference between chattr and chmod?
<SomeGuru> SomeLamer: man chattr > 1; man chmod > 2; diff -u 1 2 | less
		-- Seen on #linux on irc

Reply to: