[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Crypto consolidation in debian ?

On Sun, May 1, 2011 at 3:23 AM, Steve Langasek <vorlon@debian.org> wrote:
> On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
>> Roger Leigh <rleigh@codelibre.net> writes:
>> > libgcrypt has some horrendous bugs which upstream refuse to fix,
>> > for example the broken behaviour relating to setuid binaries
>> > discussed previously here, and the hard coded behaviour which
>> > makes it unsuitable for use in general programs.  See
>> >
>> > "libgcrypt brain dead?"
>> > 3c5cf5261003081534s5202413dw4d93c80db1a30150@mail.gmail.com
>> > Until these major issues are fixed, it's simply unusable.
>> It appears to be usable by a lot of projects and people, so that seems
>> like an exaggeration.  If I have understood Werner correctly, he
>> believes that it is the setuid binaries that are broken and should be
>> fixed.
> As a comaintainer of openldap, which links to gnutls in Debian for license
> reasons, I need to vehemently echo Roger here.  sudo most certainly isn't
> broken for being setuid, and libgcrypt should definitely not be ripping its
> suid privs out from under it, yet this is what happens if using nss_ldap
> with an SSL-using LDAP server.
>  http://bugs.debian.org/566351
>  https://bugs.launchpad.net/bugs/423252
> Changing the uid of the calling application is *not* an acceptable side
> effect for a library and I can't imagine how anyone could believe that it
> is.  Unfortunately that seems to leave nss_ldap caught between an SSL
> implementation with a perverse license, and an SSL implementation whose
> upstream has perverse ideas about library handling of process state.

It seems fedora is moving to nss for openldap


Have you tested ?


Reply to: