Re: Crypto consolidation in debian ?
- To: firstname.lastname@example.org
- Subject: Re: Crypto consolidation in debian ?
- From: Andreas Metzler <email@example.com>
- Date: Sun, 1 May 2011 14:29:39 +0200
- Message-id: <[🔎] firstname.lastname@example.org>
- References: <BANLkTinOV0W=O1tQM1jk2GzhvGPXn3k_pA@mail.gmail.com> <email@example.com> <BANLkTimkr59-OymRN=FHV8+E6gH=ic2DBw@mail.gmail.com> <firstname.lastname@example.org> <20110427164643.GJ13524@codelibre.net> <email@example.com>
Simon Josefsson <firstname.lastname@example.org> wrote:
> It appears to be usable by a lot of projects and people, so that seems
> like an exaggeration. If I have understood Werner correctly, he
> believes that it is the setuid binaries that are broken and should be
I would rather say he considers NSS (or PAM) fundamentally broken,
because a tiny, scrutinized SUID binary ends up with *huge* amounts of
external unrelated code in its address space after getpwnam().
Also libgcrypt does seem to be designed to be used indirectly (via
gnutls) without knowing and caring about it. (Threading, secmem).
Which is why about 50% of all gnutls-using packages are using
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'