FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 04-27-2011, 10:13 AM
Julien Cristau
 
Default Crypto consolidation in debian ?

On Wed, Apr 27, 2011 at 11:40:14 +0200, Bastien ROUCARIES wrote:

> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery <rra@debian.org> wrote:
> > Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
> >
> >> I have seen that fedora is trying to consolidate the number of crypto
> >> package shipped [1]. What do you think about this goal ?
> >
> > Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> > bother. *Seems like a waste of time to me. *If I were going to port to any
> > other crypto library, I'd port to gcrypto, not NSS.
>
> Gcrypto is GPL and thus incompatible with a lot of crypto package
> unfortunatly. Not good for consolidation

If you mean gcrypt, it's LGPL, which should be fine. So is gnutls
(except for its openssl wrapper). If you're talking about something
else, what is it?

Cheers,
Julien


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110427101336.GO2790@radis.liafa.jussieu.fr">http ://lists.debian.org/20110427101336.GO2790@radis.liafa.jussieu.fr
 
Old 04-27-2011, 10:29 AM
Bastien ROUCARIES
 
Default Crypto consolidation in debian ?

> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> bother. *Seems like a waste of time to me. *If I were going to port to any
> other crypto library, I'd port to gcrypto, not NSS.

See also that suse consider to port to nss
http://old-en.opensuse.org/SharedCertStore

Bastien


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTimkr59-OymRN=FHV8+E6gH=ic2DBw@mail.gmail.com">http://lists.debian.org/BANLkTimkr59-OymRN=FHV8+E6gH=ic2DBw@mail.gmail.com
 
Old 04-27-2011, 10:29 AM
Bastian Blank
 
Default Crypto consolidation in debian ?

On Wed, Apr 27, 2011 at 11:40:14AM +0200, Bastien ROUCARIES wrote:
> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery <rra@debian.org> wrote:
> > Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> > bother. *Seems like a waste of time to me. *If I were going to port to any
> > other crypto library, I'd port to gcrypto, not NSS.
> Gcrypto is GPL and thus incompatible with a lot of crypto package
> unfortunatly. Not good for consolidation

So is libnss, at least the version on my workstation. Your point taken?

Oh. And parts are 4-clause BSD (if I read this correctly).

Bastian

--
... The prejudices people feel about each other disappear when they get
to know each other.
-- Kirk, "Elaan of Troyius", stardate 4372.5


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110427102932.GA2445@wavehammer.waldi.eu.org">htt p://lists.debian.org/20110427102932.GA2445@wavehammer.waldi.eu.org
 
Old 04-27-2011, 10:43 AM
Bastien ROUCARIES
 
Default Crypto consolidation in debian ?

On Wed, Apr 27, 2011 at 12:29 PM, Bastian Blank <waldi@debian.org> wrote:
> On Wed, Apr 27, 2011 at 11:40:14AM +0200, Bastien ROUCARIES wrote:
>> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery <rra@debian.org> wrote:
>> > Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> > bother. *Seems like a waste of time to me. *If I were going to port to any
>> > other crypto library, I'd port to gcrypto, not NSS.
>> Gcrypto is GPL and thus incompatible with a lot of crypto package
>> unfortunatly. Not good for consolidation
>
> So is libnss, at least the version on my workstation. Your point taken?
>
> Oh. And parts are 4-clause BSD (if I read this correctly).

Debian copyright is out of date, the close was removed by berkeley and
reflected on the source...

The main point is the FIPS 140 certification for external software if
using some simple rules documented at
http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf

Bastien
>
> Bastian
>
> --
> ... The prejudices people feel about each other disappear when they get
> to know each other.
> * * * * * * * *-- Kirk, "Elaan of Troyius", stardate 4372.5
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20110427102932.GA2445@wavehammer.waldi.eu.org
>
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTiksQ62wdqca7NOUehxgzA8eHnaT4A@mail.gmail.com ">http://lists.debian.org/BANLkTiksQ62wdqca7NOUehxgzA8eHnaT4A@mail.gmail.com
 
Old 04-27-2011, 04:30 PM
Russ Allbery
 
Default Crypto consolidation in debian ?

Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:

>> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> bother. *Seems like a waste of time to me. *If I were going to port to any
>> other crypto library, I'd port to gcrypto, not NSS.

> See also that suse consider to port to nss
> http://old-en.opensuse.org/SharedCertStore

That's fine. They can send me patches too if they want. I'm still
not interested; I'd rather put whatever time I had into making gnutls and
gcrypto better, particularly since I think FIPS certification is just a
money-making racket.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87vcxz8xo2.fsf@windlord.stanford.edu">http://lists.debian.org/87vcxz8xo2.fsf@windlord.stanford.edu
 
Old 04-27-2011, 04:46 PM
Roger Leigh
 
Default Crypto consolidation in debian ?

On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
> Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
>
> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> >> bother. *Seems like a waste of time to me. *If I were going to port to any
> >> other crypto library, I'd port to gcrypto, not NSS.
>
> > See also that suse consider to port to nss
> > http://old-en.opensuse.org/SharedCertStore
>
> That's fine. They can send me patches too if they want. I'm still
> not interested; I'd rather put whatever time I had into making gnutls and
> gcrypto better, particularly since I think FIPS certification is just a
> money-making racket.

libgcrypt has some horrendous bugs which upstream refuse to fix,
for example the broken behaviour relating to setuid binaries
discussed previously here, and the hard coded behaviour which
makes it unsuitable for use in general programs. See

"libgcrypt brain dead?" 3c5cf5261003081534s5202413dw4d93c80db1a30150@mail. gmail.com

Until these major issues are fixed, it's simply unusable.

Ideally, the software relying on the broken behaviour needs fixing,
and then libgcrypt can remove this idiotic special casing.


Regards,
Roger

--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
 
Old 04-28-2011, 08:37 AM
Bastien ROUCARIES
 
Default Crypto consolidation in debian ?

On Wed, Apr 27, 2011 at 6:46 PM, Roger Leigh <rleigh@codelibre.net> wrote:
> On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
>> Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
>>
>> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> >> bother. *Seems like a waste of time to me. *If I were going to port to any
>> >> other crypto library, I'd port to gcrypto, not NSS.
>>
>> > See also that suse consider to port to nss
>> > http://old-en.opensuse.org/SharedCertStore
>>
>> That's fine. *They can send me patches too if they want. * *I'm still
>> not interested; I'd rather put whatever time I had into making gnutls and
>> gcrypto better, particularly since I think FIPS certification is just a
>> money-making racket.
>
> libgcrypt has some horrendous bugs which upstream refuse to fix,
> for example the broken behaviour relating to setuid binaries
> discussed previously here, and the hard coded behaviour which
> makes it unsuitable for use in general programs. *See
>
> "libgcrypt brain dead?" 3c5cf5261003081534s5202413dw4d93c80db1a30150@mail. gmail.com
>
> Until these major issues are fixed, it's simply unusable.
>
> Ideally, the software relying on the broken behaviour needs fixing,
> and then libgcrypt can remove this idiotic special casing.

So, could we document we different pitfall of crypto library on the
debian wiki ?

Bastien
>
>
> Regards,
> Roger
>
> --
> *.'`. *Roger Leigh
> *: :' : *Debian GNU/Linux * * * * * * http://people.debian.org/~rleigh/
> *`. `' * Printing on GNU/Linux? * * * http://gutenprint.sourceforge.net/
> * `- * *GPG Public Key: 0x25BFB848 * Please GPG sign your mail.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk24SHMACgkQVcFcaSW/uEjBWwCg79wzuLUxd4XWiwFtTX50dub2
> pRcAn1WWxkYyhnp11nAy/eSB7YLSI3Ue
> =JWMd
> -----END PGP SIGNATURE-----
>
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTik5tkxE+PJG6-fvynMrHbdRo+BAXA@mail.gmail.com">http://lists.debian.org/BANLkTik5tkxE+PJG6-fvynMrHbdRo+BAXA@mail.gmail.com
 
Old 04-28-2011, 01:06 PM
Simon Josefsson
 
Default Crypto consolidation in debian ?

md@Linux.IT (Marco d'Itri) writes:

> On Apr 27, Bastian Blank <waldi@debian.org> wrote:
>
>> On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
>> > The reason is that the kind of entities which require FIPS 140 probably
>> > also tend to require corporate vendor support, which we do not provide.
>> What is FIPS 140 and why is this important?
> It is a certification required by USG and many financial customers.

For what it's worth, libgcrypt was in FIPS evaluation long time ago and
may even be certified by now.

/Simon


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87zkna34qf.fsf@latte.josefsson.org">http://lists.debian.org/87zkna34qf.fsf@latte.josefsson.org
 
Old 04-28-2011, 01:06 PM
Simon Josefsson
 
Default Crypto consolidation in debian ?

md@Linux.IT (Marco d'Itri) writes:

> On Apr 27, Bastian Blank <waldi@debian.org> wrote:
>
>> On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
>> > The reason is that the kind of entities which require FIPS 140 probably
>> > also tend to require corporate vendor support, which we do not provide.
>> What is FIPS 140 and why is this important?
> It is a certification required by USG and many financial customers.

For what it's worth, libgcrypt was in FIPS evaluation long time ago and
may even be certified by now.

/Simon


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87zkna34qf.fsf@latte.josefsson.org">http://lists.debian.org/87zkna34qf.fsf@latte.josefsson.org
 
Old 04-28-2011, 01:09 PM
Simon Josefsson
 
Default Crypto consolidation in debian ?

Roger Leigh <rleigh@codelibre.net> writes:

> On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
>> Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
>>
>> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> >> bother. *Seems like a waste of time to me. *If I were going to port to any
>> >> other crypto library, I'd port to gcrypto, not NSS.
>>
>> > See also that suse consider to port to nss
>> > http://old-en.opensuse.org/SharedCertStore
>>
>> That's fine. They can send me patches too if they want. I'm still
>> not interested; I'd rather put whatever time I had into making gnutls and
>> gcrypto better, particularly since I think FIPS certification is just a
>> money-making racket.
>
> libgcrypt has some horrendous bugs which upstream refuse to fix,
> for example the broken behaviour relating to setuid binaries
> discussed previously here, and the hard coded behaviour which
> makes it unsuitable for use in general programs. See
>
> "libgcrypt brain dead?"
> 3c5cf5261003081534s5202413dw4d93c80db1a30150@mail. gmail.com
>
> Until these major issues are fixed, it's simply unusable.

It appears to be usable by a lot of projects and people, so that seems
like an exaggeration. If I have understood Werner correctly, he
believes that it is the setuid binaries that are broken and should be
fixed.

/Simon


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87vcxy34kj.fsf@latte.josefsson.org">http://lists.debian.org/87vcxy34kj.fsf@latte.josefsson.org
 

Thread Tools




All times are GMT. The time now is 08:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org