Hello, A number of packages, such as openldap have been changed to support gnutls, instead of openssl, to avoid licensing issues in openssl.
However, it appears that gnutls uses libgcrypt, and libgcrypt has several serious design issues. 1. libgcrypt doesn't cleanup properly on dlclose, and apparently won't fix the problem: http://bugs.debian.org/543941 This makes gcrypt unsuitable in PAM or NSS. I was told that the fix is to 'add "__attribute__((destructor))" to a cleanup function' 2. libgcrypt drops root privileges if called setuid on the assumption the only reason the program is setuid root is so it can lock memory. Unfortunately this breaks every setuid program tat uses PAM when PAM is configured to use ldap and ldap is configured to use gnutls, because gnutls uses gcrypt. https://bugs.launchpad.net/ubuntu/+source/schroot/+bug/486944 http://bugs.debian.org/566351 http://mid.gmane.org/878wbju9is....@vigenere.g10code.de Unfortunately, gcrypt is used by gnutls, which is used in ldap, which is frequently used in PAM and NSS. So this is an issue. There might be other NSS and PAM modules that use it too. What is the solution? Should we go back to using openssl, at least with libraries such as openldap that are commonly used in pam and nss modules? Or is there another way? Alternatively, have I got something wrong? -- Brian May <br...@microcomaustralia.com.au> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/3c5cf5261003081534s5202413dw4d93c80db1a30...@mail.gmail.com