Bastien ROUCARIES:
> Dear dd,
>
> I have seen that fedora is trying to consolidate the number of crypto
> package shipped [1]. What do you think about this goal ?
>
> Moreover a lot of keyring solution are available for the desktop but
> are not directly compatible between them, and is near a nig
* Arthur de Jong schrieb:
> Although switching SSL/TLS library to something different may be a good
> idea, I don't think it will fix the problem for NSS (Name Service Switch
> here) modules.
Having the whole SSL/TLS handling in an separate daemon would
be a fine idea. Maybe even as an synthenti
* Arthur de Jong schrieb:
> Another solution (that Joss already pointer out) is libnss-sss which has
> a slightly broader scope.
In the long run, IMHO, it would be best to move everything
(besides reading local flat files) into its own daemon and
remove the whole plugin stuff from glibc and pam.
Steve Langasek writes ("Re: Crypto consolidation in debian ?"):
> Changing the uid of the calling application is *not* an acceptable side
> effect for a library and I can't imagine how anyone could believe that it
> is. Unfortunately that seems to leave nss_ld
On Sun, 2011-05-08 at 21:25 +0200, Arthur de Jong wrote:
> On Sun, 2011-05-01 at 12:55 +0200, Bastien ROUCARIES wrote:
> > It seems fedora is moving to nss for openldap
>
> I don't think it's completely free from the same kind of issues as
> GNUTLS. For example, I recently came across this:
> ht
On Sun, 2011-05-01 at 12:55 +0200, Bastien ROUCARIES wrote:
> It seems fedora is moving to nss for openldap
I don't think it's completely free from the same kind of issues as
GNUTLS. For example, I recently came across this:
https://bugzilla.redhat.com/show_bug.cgi?id=701587
NSS (Network Securit
On Sun, 2011-05-01 at 14:08 +0100, Roger Leigh wrote:
> If we could move to having a central service, rather than having every
> process load in a pile of extra libraries, I would probably be in
> favour of it. If would make some things, such as NSS queries inside
> chroots, much more efficient an
Le dimanche 01 mai 2011 à 14:08 +0100, Roger Leigh a écrit :
> This is something I can understand to an extent. Having a single
> service providing access to the NSS databases would offer some
> advantages. Unfortunately, I've only ever heard bad things about
> nscd. If we could move to having
Roger Leigh writes:
> This is the root cause, I think. libgcrypt was developed as part of
> gnutls, and although it's a separate library, it's insufficiently
> generalised. It's implicitly doing things the way gnutls wanted them
> doing, and rather than making the library completely general and
Roger Leigh wrote:
> On Sun, May 01, 2011 at 02:29:39PM +0200, Andreas Metzler wrote:
[...]
>> Also libgcrypt does not seem to be designed to be used indirectly (via
>> gnutls) without knowing and caring about it. (Threading, secmem).
>> Which is why about 50% of all gnutls-using packages are usi
* Roger Leigh (rle...@codelibre.net) [110501 15:08]:
> Even if the NSS situation changes, surely it's immediately obvious
> that a random library function should not tamper with the uid of a
> process as a side-effect? Unless the caller explicitly requested
> dropping of root privs, no library has
Andreas Metzler wrote:
> Also libgcrypt does seem to be designed to be used indirectly
^
|
not
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debi
On Sun, May 01, 2011 at 02:29:39PM +0200, Andreas Metzler wrote:
> Simon Josefsson wrote:
> [...]
> > It appears to be usable by a lot of projects and people, so that seems
> > like an exaggeration. If I have understood Werner correctly, he
> > believes that it is the setuid binaries that are bro
Simon Josefsson wrote:
[...]
> It appears to be usable by a lot of projects and people, so that seems
> like an exaggeration. If I have understood Werner correctly, he
> believes that it is the setuid binaries that are broken and should be
> fixed.
[...]
Hello,
I would rather say he considers NS
On Sun, May 1, 2011 at 3:23 AM, Steve Langasek wrote:
> On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
>> Roger Leigh writes:
>
>> > libgcrypt has some horrendous bugs which upstream refuse to fix,
>> > for example the broken behaviour relating to setuid binaries
>> > discussed
On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
> Roger Leigh writes:
> > libgcrypt has some horrendous bugs which upstream refuse to fix,
> > for example the broken behaviour relating to setuid binaries
> > discussed previously here, and the hard coded behaviour which
> > makes
On Thu, Apr 28, 2011 at 10:37:37AM +0200, Bastien ROUCARIES wrote:
> So, could we document we different pitfall of crypto library on the
> debian wiki ?
You could use http://curl.haxx.se/docs/ssl-compared.html
and http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations
as starting points.
On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote:
> Roger Leigh writes:
>
> > libgcrypt has some horrendous bugs which upstream refuse to fix,
> > for example the broken behaviour relating to setuid binaries
> > discussed previously here, and the hard coded behaviour which
> > make
m...@linux.it (Marco d'Itri) writes:
> On Apr 27, Bastian Blank wrote:
>
>> On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
>> > The reason is that the kind of entities which require FIPS 140 probably
>> > also tend to require corporate vendor support, which we do not provide.
>> Wh
Roger Leigh writes:
> On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
>> Bastien ROUCARIES writes:
>>
>> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> >> bother. Seems like a waste of time to me. If I were going to port to any
>> >> other crypto
On Wed, Apr 27, 2011 at 6:46 PM, Roger Leigh wrote:
> On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
>> Bastien ROUCARIES writes:
>>
>> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> >> bother. Seems like a waste of time to me. If I were going to p
On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
> Bastien ROUCARIES writes:
>
> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> >> bother. Seems like a waste of time to me. If I were going to port to any
> >> other crypto library, I'd port to gcrypto,
Bastien ROUCARIES writes:
>> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> bother. Seems like a waste of time to me. If I were going to port to any
>> other crypto library, I'd port to gcrypto, not NSS.
> See also that suse consider to port to nss
> http://old-en.
On Wed, Apr 27, 2011 at 12:29 PM, Bastian Blank wrote:
> On Wed, Apr 27, 2011 at 11:40:14AM +0200, Bastien ROUCARIES wrote:
>> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery wrote:
>> > Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> > bother. Seems like a waste of tim
> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> bother. Seems like a waste of time to me. If I were going to port to any
> other crypto library, I'd port to gcrypto, not NSS.
See also that suse consider to port to nss
http://old-en.opensuse.org/SharedCertStore
Basti
On Wed, Apr 27, 2011 at 11:40:14AM +0200, Bastien ROUCARIES wrote:
> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery wrote:
> > Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> > bother. Seems like a waste of time to me. If I were going to port to any
> > other crypto lib
On Wed, Apr 27, 2011 at 11:40:14 +0200, Bastien ROUCARIES wrote:
> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery wrote:
> > Bastien ROUCARIES writes:
> >
> >> I have seen that fedora is trying to consolidate the number of crypto
> >> package shipped [1]. What do you think about this goal ?
> >
>
On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery wrote:
> Bastien ROUCARIES writes:
>
>> I have seen that fedora is trying to consolidate the number of crypto
>> package shipped [1]. What do you think about this goal ?
>
> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> bo
On Wed, Apr 27, 2011 at 10:25:30AM +0200, Marco d'Itri wrote:
> On Apr 27, Bastian Blank wrote:
>
> > On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
> > > The reason is that the kind of entities which require FIPS 140 probably
> > > also tend to require corporate vendor support, wh
On Apr 27, Bastian Blank wrote:
> On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
> > The reason is that the kind of entities which require FIPS 140 probably
> > also tend to require corporate vendor support, which we do not provide.
> What is FIPS 140 and why is this important?
It
On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
> The reason is that the kind of entities which require FIPS 140 probably
> also tend to require corporate vendor support, which we do not provide.
What is FIPS 140 and why is this important?
> If building a package with NSS instead of
Bastien ROUCARIES writes:
> I have seen that fedora is trying to consolidate the number of crypto
> package shipped [1]. What do you think about this goal ?
Patches to WebAuth to support NSS are welcome, but I'm sure not going to
bother. Seems like a waste of time to me. If I were going to por
On Tue, Apr 26, 2011 at 7:20 PM, Marco d'Itri wrote:
> On Apr 26, Bastien ROUCARIES wrote:
>
>> I have seen that fedora is trying to consolidate the number of crypto
>> package shipped [1]. What do you think about this goal ?
> While I believe it to be a worthwhile goal, I have serious doubts tha
On Apr 26, Bastien ROUCARIES wrote:
> I have seen that fedora is trying to consolidate the number of crypto
> package shipped [1]. What do you think about this goal ?
While I believe it to be a worthwhile goal, I have serious doubts that
we should actively switch packages to NSS when this causes
On Tue, Apr 26, 2011 at 5:08 PM, Philipp Kern wrote:
> On 2011-04-26, Bastien ROUCARIES wrote:
>> I have seen that fedora is trying to consolidate the number of crypto
>> package shipped [1]. What do you think about this goal ?
>
> Is there any progress on Fedora's effort? So far it seemed like
On 2011-04-26, Bastien ROUCARIES wrote:
> I have seen that fedora is trying to consolidate the number of crypto
> package shipped [1]. What do you think about this goal ?
Is there any progress on Fedora's effort? So far it seemed like Vaporware to
me. (Given that it's not exactly a Fedora featu
Dear dd,
I have seen that fedora is trying to consolidate the number of crypto
package shipped [1]. What do you think about this goal ?
Moreover a lot of keyring solution are available for the desktop but
are not directly compatible between them, and is near a nightmare (for
instance mozilla is n
37 matches
Mail list logo