On Fri, May 03, 2002 at 07:56:43AM -0700, [EMAIL PROTECTED] wrote: > This message is a warning:
> --with-ssl will die. > Ok, thats enough with the dramatics, but the general consensus amoungst the > samba team is that --with-ssl really isn't a particulary smart idea, and > it is better implmented by external tools. > So what is --with-ssl exactly? And why kill it? > --with-ssl allows Samba to tunnel SMB inside an SSL connection. Unfortunetly > there are only 2 clients: smbclient and sharity. Windows clients simply > don't know how to use SSL. > So why kill it? It might be useful to sombody? > While some small minority of users might find it handy, it confuses many more, > including a supprising number of our distributors. Users actually using this > functionality will find that they can achive almost the same effect by creative > use of 'stunnel' both as an inetd wrapper as as a 'LIBSMB_PROG' program. > Finally, it is intrusive and ugly, with large #ifdef sections in what should > be simple code. > If sombody can come up with both reasons to keep this code, and time to > maintain it, then I would like to hear it. Though I don't object to --with-ssl's presence if someone is willing to maintain it, there are a variety of reasons why Debian has never enabled this option, and probably never will. Having gotten past the obstacle of US export law, it's now been pointed out[1] that the GPL does not permit us as a distributor to ship GPLed binaries linked against OpenSSL together with the OpenSSL libraries themselves; unless all copyright holders in Samba are willing to grant an explicit exemption for linking with OpenSSL, Debian is not willing to expose itself or its mirror operators to the legal risk. Assuming everyone was ok with the legal minutiae, we would still have to decide if SSL was really worth enabling. I've always been lukewarm about this option, because setting up an SSL tunnel on the Unix side has always been the /easy/ part: it's configuring all of your Windows clients (of varying flavors) to use SSL for SMB connections that takes doing. So the savings of having SSL support compiled into Samba are minimal, but the potential headaches are numerous. I'd almost say you'd be doing users a favor by removing this option. Steve Langasek postmodern programmer [1] http://lists.debian.org/debian-devel/2002/debian-devel-200203/msg01569.html et al.
msg00549/pgp00000.pgp
Description: PGP signature