Re: Crypto consolidation in debian ?
Roger Leigh <firstname.lastname@example.org> writes:
> On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
>> Bastien ROUCARIES <email@example.com> writes:
>> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> >> bother. Seems like a waste of time to me. If I were going to port to any
>> >> other crypto library, I'd port to gcrypto, not NSS.
>> > See also that suse consider to port to nss
>> > http://old-en.opensuse.org/SharedCertStore
>> That's fine. They can send me patches too if they want. :) I'm still
>> not interested; I'd rather put whatever time I had into making gnutls and
>> gcrypto better, particularly since I think FIPS certification is just a
>> money-making racket.
> libgcrypt has some horrendous bugs which upstream refuse to fix,
> for example the broken behaviour relating to setuid binaries
> discussed previously here, and the hard coded behaviour which
> makes it unsuitable for use in general programs. See
> "libgcrypt brain dead?"
> Until these major issues are fixed, it's simply unusable.
It appears to be usable by a lot of projects and people, so that seems
like an exaggeration. If I have understood Werner correctly, he
believes that it is the setuid binaries that are broken and should be