Re: Crypto consolidation in debian ?
- To: email@example.com
- Subject: Re: Crypto consolidation in debian ?
- From: Steve Langasek <firstname.lastname@example.org>
- Date: Sat, 30 Apr 2011 18:23:28 -0700
- Message-id: <[🔎] 20110501012328.GB22825@virgil.dodds.net>
- Mail-followup-to: email@example.com
- In-reply-to: <firstname.lastname@example.org>
- References: <BANLkTinOV0W=O1tQM1jk2GzhvGPXn3k_pA@mail.gmail.com> <email@example.com> <BANLkTimkr59-OymRN=FHV8+E6gH=ic2DBw@mail.gmail.com> <firstname.lastname@example.org> <20110427164643.GJ13524@codelibre.net> <email@example.com>
On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
> Roger Leigh <firstname.lastname@example.org> writes:
> > libgcrypt has some horrendous bugs which upstream refuse to fix,
> > for example the broken behaviour relating to setuid binaries
> > discussed previously here, and the hard coded behaviour which
> > makes it unsuitable for use in general programs. See
> > "libgcrypt brain dead?"
> > email@example.com
> > Until these major issues are fixed, it's simply unusable.
> It appears to be usable by a lot of projects and people, so that seems
> like an exaggeration. If I have understood Werner correctly, he
> believes that it is the setuid binaries that are broken and should be
As a comaintainer of openldap, which links to gnutls in Debian for license
reasons, I need to vehemently echo Roger here. sudo most certainly isn't
broken for being setuid, and libgcrypt should definitely not be ripping its
suid privs out from under it, yet this is what happens if using nss_ldap
with an SSL-using LDAP server.
Changing the uid of the calling application is *not* an acceptable side
effect for a library and I can't imagine how anyone could believe that it
is. Unfortunately that seems to leave nss_ldap caught between an SSL
implementation with a perverse license, and an SSL implementation whose
upstream has perverse ideas about library handling of process state.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/