On Wed, Apr 27, 2011 at 11:40:14 +0200, Bastien ROUCARIES wrote:
> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery <rra@debian.org> wrote:
> > Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
> >
> >> I have seen that fedora is trying to consolidate the number of crypto
> >> package shipped [1]. What do you think about this goal ?
> >
> > Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> > bother. *Seems like a waste of time to me. *If I were going to port to any
> > other crypto library, I'd port to gcrypto, not NSS.
>
> Gcrypto is GPL and thus incompatible with a lot of crypto package
> unfortunatly. Not good for consolidation
If you mean gcrypt, it's LGPL, which should be fine. So is gnutls
(except for its openssl wrapper). If you're talking about something
else, what is it?
Cheers,
Julien
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110427101336.GO2790@radis.liafa.jussieu.fr">http ://lists.debian.org/20110427101336.GO2790@radis.liafa.jussieu.fr
04-27-2011, 10:29 AM
Bastien ROUCARIES
Crypto consolidation in debian ?
> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> bother. *Seems like a waste of time to me. *If I were going to port to any
> other crypto library, I'd port to gcrypto, not NSS.
See also that suse consider to port to nss
http://old-en.opensuse.org/SharedCertStore
Bastien
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTimkr59-OymRN=FHV8+E6gH=ic2DBw@mail.gmail.com">http://lists.debian.org/BANLkTimkr59-OymRN=FHV8+E6gH=ic2DBw@mail.gmail.com
04-27-2011, 10:29 AM
Bastian Blank
Crypto consolidation in debian ?
On Wed, Apr 27, 2011 at 11:40:14AM +0200, Bastien ROUCARIES wrote:
> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery <rra@debian.org> wrote:
> > Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> > bother. *Seems like a waste of time to me. *If I were going to port to any
> > other crypto library, I'd port to gcrypto, not NSS.
> Gcrypto is GPL and thus incompatible with a lot of crypto package
> unfortunatly. Not good for consolidation
So is libnss, at least the version on my workstation. Your point taken?
Oh. And parts are 4-clause BSD (if I read this correctly).
Bastian
--
... The prejudices people feel about each other disappear when they get
to know each other.
-- Kirk, "Elaan of Troyius", stardate 4372.5
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110427102932.GA2445@wavehammer.waldi.eu.org">htt p://lists.debian.org/20110427102932.GA2445@wavehammer.waldi.eu.org
04-27-2011, 10:43 AM
Bastien ROUCARIES
Crypto consolidation in debian ?
On Wed, Apr 27, 2011 at 12:29 PM, Bastian Blank <waldi@debian.org> wrote:
> On Wed, Apr 27, 2011 at 11:40:14AM +0200, Bastien ROUCARIES wrote:
>> On Wed, Apr 27, 2011 at 1:05 AM, Russ Allbery <rra@debian.org> wrote:
>> > Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> > bother. *Seems like a waste of time to me. *If I were going to port to any
>> > other crypto library, I'd port to gcrypto, not NSS.
>> Gcrypto is GPL and thus incompatible with a lot of crypto package
>> unfortunatly. Not good for consolidation
>
> So is libnss, at least the version on my workstation. Your point taken?
>
> Oh. And parts are 4-clause BSD (if I read this correctly).
Debian copyright is out of date, the close was removed by berkeley and
reflected on the source...
The main point is the FIPS 140 certification for external software if
using some simple rules documented at
http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf
Bastien
>
> Bastian
>
> --
> ... The prejudices people feel about each other disappear when they get
> to know each other.
> * * * * * * * *-- Kirk, "Elaan of Troyius", stardate 4372.5
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20110427102932.GA2445@wavehammer.waldi.eu.org
>
>
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTiksQ62wdqca7NOUehxgzA8eHnaT4A@mail.gmail.com ">http://lists.debian.org/BANLkTiksQ62wdqca7NOUehxgzA8eHnaT4A@mail.gmail.com
>> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> bother. *Seems like a waste of time to me. *If I were going to port to any
>> other crypto library, I'd port to gcrypto, not NSS.
> See also that suse consider to port to nss
> http://old-en.opensuse.org/SharedCertStore
That's fine. They can send me patches too if they want. I'm still
not interested; I'd rather put whatever time I had into making gnutls and
gcrypto better, particularly since I think FIPS certification is just a
money-making racket.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87vcxz8xo2.fsf@windlord.stanford.edu">http://lists.debian.org/87vcxz8xo2.fsf@windlord.stanford.edu
04-27-2011, 04:46 PM
Roger Leigh
Crypto consolidation in debian ?
On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
> Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
>
> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
> >> bother. *Seems like a waste of time to me. *If I were going to port to any
> >> other crypto library, I'd port to gcrypto, not NSS.
>
> > See also that suse consider to port to nss
> > http://old-en.opensuse.org/SharedCertStore
>
> That's fine. They can send me patches too if they want. I'm still
> not interested; I'd rather put whatever time I had into making gnutls and
> gcrypto better, particularly since I think FIPS certification is just a
> money-making racket.
libgcrypt has some horrendous bugs which upstream refuse to fix,
for example the broken behaviour relating to setuid binaries
discussed previously here, and the hard coded behaviour which
makes it unsuitable for use in general programs. See
Until these major issues are fixed, it's simply unusable.
Ideally, the software relying on the broken behaviour needs fixing,
and then libgcrypt can remove this idiotic special casing.
Regards,
Roger
--
.'`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
04-28-2011, 08:37 AM
Bastien ROUCARIES
Crypto consolidation in debian ?
On Wed, Apr 27, 2011 at 6:46 PM, Roger Leigh <rleigh@codelibre.net> wrote:
> On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
>> Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
>>
>> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> >> bother. *Seems like a waste of time to me. *If I were going to port to any
>> >> other crypto library, I'd port to gcrypto, not NSS.
>>
>> > See also that suse consider to port to nss
>> > http://old-en.opensuse.org/SharedCertStore
>>
>> That's fine. *They can send me patches too if they want. * *I'm still
>> not interested; I'd rather put whatever time I had into making gnutls and
>> gcrypto better, particularly since I think FIPS certification is just a
>> money-making racket.
>
> libgcrypt has some horrendous bugs which upstream refuse to fix,
> for example the broken behaviour relating to setuid binaries
> discussed previously here, and the hard coded behaviour which
> makes it unsuitable for use in general programs. *See
>
> "libgcrypt brain dead?" 3c5cf5261003081534s5202413dw4d93c80db1a30150@mail. gmail.com
>
> Until these major issues are fixed, it's simply unusable.
>
> Ideally, the software relying on the broken behaviour needs fixing,
> and then libgcrypt can remove this idiotic special casing.
So, could we document we different pitfall of crypto library on the
debian wiki ?
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTik5tkxE+PJG6-fvynMrHbdRo+BAXA@mail.gmail.com">http://lists.debian.org/BANLkTik5tkxE+PJG6-fvynMrHbdRo+BAXA@mail.gmail.com
04-28-2011, 01:06 PM
Simon Josefsson
Crypto consolidation in debian ?
md@Linux.IT (Marco d'Itri) writes:
> On Apr 27, Bastian Blank <waldi@debian.org> wrote:
>
>> On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
>> > The reason is that the kind of entities which require FIPS 140 probably
>> > also tend to require corporate vendor support, which we do not provide.
>> What is FIPS 140 and why is this important?
> It is a certification required by USG and many financial customers.
For what it's worth, libgcrypt was in FIPS evaluation long time ago and
may even be certified by now.
/Simon
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87zkna34qf.fsf@latte.josefsson.org">http://lists.debian.org/87zkna34qf.fsf@latte.josefsson.org
04-28-2011, 01:06 PM
Simon Josefsson
Crypto consolidation in debian ?
md@Linux.IT (Marco d'Itri) writes:
> On Apr 27, Bastian Blank <waldi@debian.org> wrote:
>
>> On Tue, Apr 26, 2011 at 07:20:55PM +0200, Marco d'Itri wrote:
>> > The reason is that the kind of entities which require FIPS 140 probably
>> > also tend to require corporate vendor support, which we do not provide.
>> What is FIPS 140 and why is this important?
> It is a certification required by USG and many financial customers.
For what it's worth, libgcrypt was in FIPS evaluation long time ago and
may even be certified by now.
/Simon
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87zkna34qf.fsf@latte.josefsson.org">http://lists.debian.org/87zkna34qf.fsf@latte.josefsson.org
04-28-2011, 01:09 PM
Simon Josefsson
Crypto consolidation in debian ?
Roger Leigh <rleigh@codelibre.net> writes:
> On Wed, Apr 27, 2011 at 09:30:05AM -0700, Russ Allbery wrote:
>> Bastien ROUCARIES <roucaries.bastien@gmail.com> writes:
>>
>> >> Patches to WebAuth to support NSS are welcome, but I'm sure not going to
>> >> bother. *Seems like a waste of time to me. *If I were going to port to any
>> >> other crypto library, I'd port to gcrypto, not NSS.
>>
>> > See also that suse consider to port to nss
>> > http://old-en.opensuse.org/SharedCertStore
>>
>> That's fine. They can send me patches too if they want. I'm still
>> not interested; I'd rather put whatever time I had into making gnutls and
>> gcrypto better, particularly since I think FIPS certification is just a
>> money-making racket.
>
> libgcrypt has some horrendous bugs which upstream refuse to fix,
> for example the broken behaviour relating to setuid binaries
> discussed previously here, and the hard coded behaviour which
> makes it unsuitable for use in general programs. See
>
> "libgcrypt brain dead?"
> 3c5cf5261003081534s5202413dw4d93c80db1a30150@mail. gmail.com
>
> Until these major issues are fixed, it's simply unusable.
It appears to be usable by a lot of projects and people, so that seems
like an exaggeration. If I have understood Werner correctly, he
believes that it is the setuid binaries that are broken and should be
fixed.
/Simon
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87vcxy34kj.fsf@latte.josefsson.org">http://lists.debian.org/87vcxy34kj.fsf@latte.josefsson.org
Crypto consolidation in debian ?
I'm still
