[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7877) please make gcrypt optional with newer gnutls

ryan@nardis.ca wrote:
> Full_Name: Ryan Tandy
> Version: HEAD
> OS: Debian unstable
> URL:
> Submission from: (NULL) (
> Debian bug report: https://bugs.debian.org/745231
> Quoting Andreas Metzler:
> "given that gmp has been dual-licensed LGPLv3+/GPLv2+ it should be possible to
> switch openldap over to the newer version of gnutls.
> Upstream's 0205e83f4670d10ad3c6ae4b8fc5ec1d0c7020c0 lets the Debian package
> build successfully (including testsuite).

The only reason GnuTLS support exists in OpenLDAP is because of Debian. 
Therefore, if Debian no longer uses libgcrypt, I'm happy to rip all of that 
crap out. There's no reason for us to even keep optional support for it 
because that gives the mistaken impression that we endorse its use. Which we 
most vehemently do not.

> However even with patch there is still some work to be done.
> libraries/libldap/tls_g.c has some gcrypt related code that should be simply
> unnecessary with gnutls3, therefore it should not link against libgcrypt either.
> (Except for contrib/slapd-modules/smbk5pwd/smbk5pwd.c)."
> The following changes make gcrypt optional for libldap. For versions where both
> nettle and gcrypt are supported, I assume the default since no mechanism is
> provided for detecting which is actually in use.

Yet another flaw in GnuTLS design...

> Tested with GnuTLS 2.8.6 and
> 3.2.15.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/