Re: Crypto consolidation in debian ?

To: debian-devel@lists.debian.org
Subject: Re: Crypto consolidation in debian ?
From: Andreas Metzler <ametzler@downhill.at.eu.org>
Date: Sun, 1 May 2011 14:29:39 +0200
Message-id: <[🔎] ja0098-mlf.ln1@argenau.downhill.at.eu.org>
References: <BANLkTinOV0W=O1tQM1jk2GzhvGPXn3k_pA@mail.gmail.com> <87liywlikq.fsf@windlord.stanford.edu> <BANLkTimkr59-OymRN=FHV8+E6gH=ic2DBw@mail.gmail.com> <87vcxz8xo2.fsf@windlord.stanford.edu> <20110427164643.GJ13524@codelibre.net> <87vcxy34kj.fsf@latte.josefsson.org>

Simon Josefsson <simon@josefsson.org> wrote:
[...]
> It appears to be usable by a lot of projects and people, so that seems
> like an exaggeration.  If I have understood Werner correctly, he
> believes that it is the setuid binaries that are broken and should be
> fixed.
[...]

Hello,
I would rather say he considers NSS (or PAM) fundamentally broken,
because a tiny, scrutinized SUID binary ends up with *huge* amounts of
external unrelated code in its address space after getpwnam().

Also libgcrypt does seem to be designed to be used indirectly (via
gnutls) without knowing and caring about it. (Threading, secmem).
Which is why about 50% of all gnutls-using packages are using
gcry_control.

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Reply to:

Follow-Ups:
- Re: Crypto consolidation in debian ?
  - From: Roger Leigh <rleigh@codelibre.net>
- Re: Crypto consolidation in debian ?
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>

Prev by Date: Re: Bits from the Release Team - Kicking off Wheezy
Next by Date: Re: Bits from the Release Team - Kicking off Wheezy
Previous by thread: Re: Crypto consolidation in debian ?
Next by thread: Re: Crypto consolidation in debian ?
Index(es):
- Date
- Thread