On 18/04/13 20:24, Adam D. Barratt wrote: > On Thu, 2013-04-18 at 18:58 +0200, Werner Koch wrote: >> On Tue, 16 Apr 2013 20:37, a...@adam-barratt.org.uk said: >> >>> libgcrypt maintainers - any thoughts on this? >> >> Did anything change since my comments from 2010? >> >> OpenLDAP needs to get it right and it would even be better if all >> applications would set up a their policy regarding their demand for >> private key protection. For instacne by setting up a custom memory >> handler. >>
Howard Chu (CC'ed) (main OpenLDAP developer) thinks the other way. Check: http://bugs.debian.org/658896#115 >> My current problem with OpenLDAP is that it can't be used anymore with >> GnuTLS 3 because the OpenSSL emulation switched to GPLv3+ > > GnuTLS 3 isn't particularly relevant to getting this RC bug fixed in > wheezy, given that wheezy will be shipping with 2.12. > >> The straightforward solution would be to change OpenLDAP to use the >> native GNUTLS API and while at it also fix the libgcrypt >> initialization. > > In less than two weeks, without introducing any new bugs? > > The realistic alternatives as far as I can see currently are that the > suggested fix gets applied or this bug remains unfixed for wheezy. > > Opinions that help towards a constructive resolution appreciated. > > Regards, > > Adam > > I see two options to get this fixed for Wheezy: [Option 1] -- Do the same that Ubuntu did. That is: 1.a) Patch libgcrypt to revert commit d769529a71ccda4e833f919f3c5693d25b005ff0 1.b) Patch python-gnutls to fix the regression that 1.a) will introduce. Check: http://bugs.debian.org/368297#173 [Option 2] -- Patch OpenLDAP to set the flag GCRYCTL_DISABLE_SECMEM if GCRYCTL_INITIALIZATION_FINISHED is false. This is the patch I previously proposed at http://bugs.debian.org/368297#135 Any of the two options will fix the problem. Which one is better? You bet
signature.asc
Description: OpenPGP digital signature