[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libgcrypt brain dead?

Richard A Nelson <cowboy@debian.org> writes:

> Indeed, and this causes significant pain for Debian users in a lot of
> environments.
> * GnuTLS does not negotiate well with some corporate SSL libraries and
>   the kluge patches applied to products like OpenLDAP don't offer the
>   ability to turn of TLS 1.1 negotiation

> * GnuTLS has other issues (fairly old, but still interesting):
>   http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

> * Couple this with the fact that our OpenLDAP packages are not new
>   enough for multi-master support, and even one of the maintainers
>   recommends not using Debian slapd package for 'Production use' -
>   and you wind up with a variant of 'DLL Hell', but at least dpkg
>   properly reports all failing/conflicting dependencies.

>   Note: This would be so much easier if I only needed slapd compiled
>   against OpenSSL ... but alas, that is not the case :(

I am certain that all of the problems with the Debian OpenLDAP packages
are resolvable without switching away from GnuTLS.  The problem is that
the OpenLDAP packaging team in Debian has almost no resources.  Neither
Steve nor I have any time to spend on it, and I at least got involved only
out of self-defense since the package in danger of being unmaintained.  (I
think the same may also be true of Steve.)  There's a long-standing RFH
which has gotten a fair number of responses, but no one involved on the
team really has time to mentor people in how to work on Debian packaging
either and so far the responses haven't translated into people with free
time and the necessary skills to jump in and help.

We would greatly appreciate the help of an experienced Debian packager to
bring the package up to date and to track down the TLS interaction
problems with GnuTLS.  Upstream for GnuTLS is quite responsive, and
upstream for OpenLDAP, while not very fond of GnuTLS, has always been
willing to take patches if someone can clearly explain the issue.

>> Or is there another way?

> For interoperability, OpenSSL is much better, but there is apparently
> still some amount of work to be done on license exemptions (how much?),
> and even if that were done, it'd take a bit of work to switch everything
> back to it ... if there was concensus

The primary problem with using OpenSSL with OpenLDAP is NSS and PAM
modules, which pull the libraries into just about any GPL'd (or
other-licensed) package in the distribution in one way or another.  The
first step would be to reach consensus on removing from our archive the
traditional LDAP NSS and PAM modules and replacing them with the ldapd
versions, which talk to a system daemon over a protocol rather than pull
all the libraries into the same executable.

Once that's been done, the problem of getting license exceptions for all
other GPL packages that link directly to OpenLDAP might be tractable.  (Or
it might not; I haven't done any of the necessary investigative work.)

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: