[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: max open files

Matheus Morais <matheus.morais@gmail.com> writes:

> First of all let me reconsider my opinion after a carefully read on
> Quanah arguments and references about OpenLDAP packages around some
> distros.  I had read the archives of this list, specifically about
> GnuTLS problems with OpenLDAP on Debian and now I understand the point
> of view of OpenLDAP developers. In fact, not only understands as I fully
> support it now. So sorry if was missing the point at my first email.

I don't think anyone is happy about the multiple SSL library situation.
We (Debian) believe that not using OpenSSL is legally required by the
mixture of licenses in question and that we have no choice unless we were
to remove from the distribution all software covered by the GPL and using
the OpenLDAP libraries.  Obviously, other people's legal advice differs,
but we can only go with the legal framework that we have available.

Due to its nature, Debian has to be somewhat more conservative on legal
questions since the project has no legal existence and hence no corporate
or other organizational liability shield.  If we screw up on legal
questions, *individual people* potentially get sued.  Although I note that
Ubuntu (which I'm not involved in), which does have an organizational
liability shield, is also taking the same stance.

It's one of those cases where the risk of an adverse event are very low,
but the negative consequences are potentially high.

I do think that the security concerns with GnuTLS tend to be somewhat
overstated on this list when summarized (and in a way that's not horribly
helpful in improving the overall quality of the package, not that it's the
obligation of anyone here to help with that).  But, regardless, Debian, as
the distributor who wants to use GnuTLS against the explicit advice of the
OpenLDAP developers, should carry the burden of investigating, reducing to
reproducible test cases, and reporting problems that are best corrected in
the OpenLDAP side of the interface.  That's not currently happening due to
the same lack of volunteer time discussed in my previous message, and
that's not the fault of the OpenLDAP maintainers.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>