Bug#368297: About the libgcrypt and OpenLDAP issue
Carlos Alberto Lopez Perez
clopez at igalia.com
Thu Apr 18 18:40:44 UTC 2013
On 18/04/13 20:24, Adam D. Barratt wrote:
> On Thu, 2013-04-18 at 18:58 +0200, Werner Koch wrote:
>> On Tue, 16 Apr 2013 20:37, adam at adam-barratt.org.uk said:
>>
>>> libgcrypt maintainers - any thoughts on this?
>>
>> Did anything change since my comments from 2010?
>>
>> OpenLDAP needs to get it right and it would even be better if all
>> applications would set up a their policy regarding their demand for
>> private key protection. For instacne by setting up a custom memory
>> handler.
>>
Howard Chu (CC'ed) (main OpenLDAP developer) thinks the other way. Check:
http://bugs.debian.org/658896#115
>> My current problem with OpenLDAP is that it can't be used anymore with
>> GnuTLS 3 because the OpenSSL emulation switched to GPLv3+
>
> GnuTLS 3 isn't particularly relevant to getting this RC bug fixed in
> wheezy, given that wheezy will be shipping with 2.12.
>
>> The straightforward solution would be to change OpenLDAP to use the
>> native GNUTLS API and while at it also fix the libgcrypt
>> initialization.
>
> In less than two weeks, without introducing any new bugs?
>
> The realistic alternatives as far as I can see currently are that the
> suggested fix gets applied or this bug remains unfixed for wheezy.
>
> Opinions that help towards a constructive resolution appreciated.
>
> Regards,
>
> Adam
>
>
I see two options to get this fixed for Wheezy:
[Option 1] -- Do the same that Ubuntu did. That is:
1.a) Patch libgcrypt to revert commit
d769529a71ccda4e833f919f3c5693d25b005ff0
1.b) Patch python-gnutls to fix the regression that 1.a) will introduce.
Check: http://bugs.debian.org/368297#173
[Option 2] -- Patch OpenLDAP to set the flag GCRYCTL_DISABLE_SECMEM if
GCRYCTL_INITIALIZATION_FINISHED is false. This is the patch I previously
proposed at http://bugs.debian.org/368297#135
Any of the two options will fix the problem. Which one is better? You bet
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20130418/04224151/attachment.pgp>
More information about the Pkg-gnutls-maint
mailing list