On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote: > Roger Leigh <rle...@codelibre.net> writes:
> > libgcrypt has some horrendous bugs which upstream refuse to fix, > > for example the broken behaviour relating to setuid binaries > > discussed previously here, and the hard coded behaviour which > > makes it unsuitable for use in general programs. See > > > > "libgcrypt brain dead?" > > 3c5cf5261003081534s5202413dw4d93c80db1a30...@mail.gmail.com > > Until these major issues are fixed, it's simply unusable. > It appears to be usable by a lot of projects and people, so that seems > like an exaggeration. If I have understood Werner correctly, he > believes that it is the setuid binaries that are broken and should be > fixed. As a comaintainer of openldap, which links to gnutls in Debian for license reasons, I need to vehemently echo Roger here. sudo most certainly isn't broken for being setuid, and libgcrypt should definitely not be ripping its suid privs out from under it, yet this is what happens if using nss_ldap with an SSL-using LDAP server. http://bugs.debian.org/566351 https://bugs.launchpad.net/bugs/423252 Changing the uid of the calling application is *not* an acceptable side effect for a library and I can't imagine how anyone could believe that it is. Unfortunately that seems to leave nss_ldap caught between an SSL implementation with a perverse license, and an SSL implementation whose upstream has perverse ideas about library handling of process state. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110501012328.gb22...@virgil.dodds.net
