Bug#368297: About the libgcrypt and OpenLDAP issue
Howard Chu
hyc at symas.com
Fri Apr 19 07:22:24 UTC 2013
Werner Koch wrote:
> On Thu, 18 Apr 2013 20:40, clopez at igalia.com said:
>
>> I see two options to get this fixed for Wheezy:
>>
>> [Option 1] -- Do the same that Ubuntu did. That is:
>>
>> 1.a) Patch libgcrypt to revert commit
>> d769529a71ccda4e833f919f3c5693d25b005ff0
>
> Urgs. That is a short sighted fix.
>
>> [Option 2] -- Patch OpenLDAP to set the flag GCRYCTL_DISABLE_SECMEM if
>> GCRYCTL_INITIALIZATION_FINISHED is false. This is the patch I previously
>> proposed at http://bugs.debian.org/368297#135
>
> That is the most correct solution.
Excuse me? By what measure is this correct? Certainly not by any published
official documentation.
> Any application (not library) which
> wants to use that mlock protected memory (aka secure memory) needs to
> make sure that libgcrypt has been initialized correctly. Thus if the
> application does not do that and a library wants to to its own thing,
> that library should do it in the above way.
The OpenLDAP library doesn't want one thing or another at all. It simply is
expected to use GnuTLS on Debian and it initializes it as documented.
Frankly, speaking for the OpenLDAP Project, what we want is to delete all
support for GnuTLS. It is, like Mozilla NSS, a poorly designed API with
requirements that are impossible to satisfy in the real world, and more
trouble than it's worth.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Pkg-gnutls-maint
mailing list