Bastien ROUCARIES:
Dear dd,
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
Moreover a lot of keyring solution are available for the desktop but
are not directly compatible between them, and is near a nightmare
* Arthur de Jong adej...@debian.org schrieb:
Although switching SSL/TLS library to something different may be a good
idea, I don't think it will fix the problem for NSS (Name Service Switch
here) modules.
Having the whole SSL/TLS handling in an separate daemon would
be a fine idea. Maybe even
* Arthur de Jong adej...@debian.org schrieb:
Another solution (that Joss already pointer out) is libnss-sss which has
a slightly broader scope.
In the long run, IMHO, it would be best to move everything
(besides reading local flat files) into its own daemon and
remove the whole plugin stuff
Steve Langasek writes (Re: Crypto consolidation in debian ?):
Changing the uid of the calling application is *not* an acceptable side
effect for a library and I can't imagine how anyone could believe that it
is. Unfortunately that seems to leave nss_ldap caught between an SSL
implementation
On Sun, 2011-05-01 at 14:08 +0100, Roger Leigh wrote:
If we could move to having a central service, rather than having every
process load in a pile of extra libraries, I would probably be in
favour of it. If would make some things, such as NSS queries inside
chroots, much more efficient and
On Sun, 2011-05-01 at 12:55 +0200, Bastien ROUCARIES wrote:
It seems fedora is moving to nss for openldap
I don't think it's completely free from the same kind of issues as
GNUTLS. For example, I recently came across this:
https://bugzilla.redhat.com/show_bug.cgi?id=701587
NSS (Network
On Sun, 2011-05-08 at 21:25 +0200, Arthur de Jong wrote:
On Sun, 2011-05-01 at 12:55 +0200, Bastien ROUCARIES wrote:
It seems fedora is moving to nss for openldap
I don't think it's completely free from the same kind of issues as
GNUTLS. For example, I recently came across this:
Le dimanche 01 mai 2011 à 14:08 +0100, Roger Leigh a écrit :
This is something I can understand to an extent. Having a single
service providing access to the NSS databases would offer some
advantages. Unfortunately, I've only ever heard bad things about
nscd. If we could move to having a
On Sun, May 1, 2011 at 3:23 AM, Steve Langasek vor...@debian.org wrote:
On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
Roger Leigh rle...@codelibre.net writes:
libgcrypt has some horrendous bugs which upstream refuse to fix,
for example the broken behaviour relating to
Simon Josefsson si...@josefsson.org wrote:
[...]
It appears to be usable by a lot of projects and people, so that seems
like an exaggeration. If I have understood Werner correctly, he
believes that it is the setuid binaries that are broken and should be
fixed.
[...]
Hello,
I would rather say
On Sun, May 01, 2011 at 02:29:39PM +0200, Andreas Metzler wrote:
Simon Josefsson si...@josefsson.org wrote:
[...]
It appears to be usable by a lot of projects and people, so that seems
like an exaggeration. If I have understood Werner correctly, he
believes that it is the setuid binaries
Andreas Metzler ametz...@downhill.at.eu.org wrote:
Also libgcrypt does seem to be designed to be used indirectly
^
|
not
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble?
* Roger Leigh (rle...@codelibre.net) [110501 15:08]:
Even if the NSS situation changes, surely it's immediately obvious
that a random library function should not tamper with the uid of a
process as a side-effect? Unless the caller explicitly requested
dropping of root privs, no library has
Roger Leigh rle...@codelibre.net wrote:
On Sun, May 01, 2011 at 02:29:39PM +0200, Andreas Metzler wrote:
[...]
Also libgcrypt does not seem to be designed to be used indirectly (via
gnutls) without knowing and caring about it. (Threading, secmem).
Which is why about 50% of all gnutls-using
Roger Leigh rle...@codelibre.net writes:
This is the root cause, I think. libgcrypt was developed as part of
gnutls, and although it's a separate library, it's insufficiently
generalised. It's implicitly doing things the way gnutls wanted them
doing, and rather than making the library
On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
Roger Leigh rle...@codelibre.net writes:
libgcrypt has some horrendous bugs which upstream refuse to fix,
for example the broken behaviour relating to setuid binaries
discussed previously here, and the hard coded behaviour
On Wed, Apr 27, 2011 at 6:46 PM, Roger Leigh rle...@codelibre.net wrote:
On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste
Roger Leigh rle...@codelibre.net writes:
On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste of time to me. If I were going
m...@linux.it (Marco d'Itri) writes:
On Apr 27, Bastian Blank wa...@debian.org wrote:
On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
The reason is that the kind of entities which require FIPS 140 probably
also tend to require corporate vendor support, which we do not
On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
Roger Leigh rle...@codelibre.net writes:
libgcrypt has some horrendous bugs which upstream refuse to fix,
for example the broken behaviour relating to setuid binaries
discussed previously here, and the hard coded behaviour
On Thu, Apr 28, 2011 at 10:37:37AM +0200, Bastien ROUCARIES wrote:
So, could we document we different pitfall of crypto library on the
debian wiki ?
You could use http://curl.haxx.se/docs/ssl-compared.html
and http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations
as starting points.
On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
The reason is that the kind of entities which require FIPS 140 probably
also tend to require corporate vendor support, which we do not provide.
What is FIPS 140 and why is this important?
If building a package with NSS instead of
On Apr 27, Bastian Blank wa...@debian.org wrote:
On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
The reason is that the kind of entities which require FIPS 140 probably
also tend to require corporate vendor support, which we do not provide.
What is FIPS 140 and why is this
On Wed, Apr 27, 2011 at 10:25:30AM +0200, Marco d'Itri wrote:
On Apr 27, Bastian Blank wa...@debian.org wrote:
On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
The reason is that the kind of entities which require FIPS 140 probably
also tend to require corporate vendor
On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery r...@debian.org wrote:
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
Patches to WebAuth to support NSS are
On Wed, Apr 27, 2011 at 11:40:14 +0200, Bastien ROUCARIES wrote:
On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery r...@debian.org wrote:
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do
On Wed, Apr 27, 2011 at 11:40:14AM +0200, Bastien ROUCARIES wrote:
On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery r...@debian.org wrote:
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste of time to me. If I were going to port to any
other
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste of time to me. If I were going to port to any
other crypto library, I'd port to gcrypto, not NSS.
See also that suse consider to port to nss
http://old-en.opensuse.org/SharedCertStore
Bastien
On Wed, Apr 27, 2011 at 12:29 PM, Bastian Blank wa...@debian.org wrote:
On Wed, Apr 27, 2011 at 11:40:14AM +0200, Bastien ROUCARIES wrote:
On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery r...@debian.org wrote:
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother.
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste of time to me. If I were going to port to any
other crypto library, I'd port to gcrypto, not NSS.
See also that suse consider to port to
On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste of time to me. If I were going to port to any
other crypto library, I'd
Dear dd,
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
Moreover a lot of keyring solution are available for the desktop but
are not directly compatible between them, and is near a nightmare (for
instance mozilla is
On 2011-04-26, Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
Is there any progress on Fedora's effort? So far it seemed like Vaporware to
me. (Given that it's
On Tue, Apr 26, 2011 at 5:08 PM, Philipp Kern tr...@philkern.de wrote:
On 2011-04-26, Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
Is there any progress on
On Apr 26, Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
While I believe it to be a worthwhile goal, I have serious doubts that
we should actively switch
On Tue, Apr 26, 2011 at 7:20 PM, Marco d'Itri m...@linux.it wrote:
On Apr 26, Bastien ROUCARIES roucaries.bast...@gmail.com wrote:
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
While I believe it to be a
Bastien ROUCARIES roucaries.bast...@gmail.com writes:
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste of time to
37 matches
Mail list logo