On Sun, May 1, 2011 at 3:23 AM, Steve Langasek <vor...@debian.org> wrote: > On Thu, Apr 28, 2011 at 03:09:48PM +0200, Simon Josefsson wrote: >> Roger Leigh <rle...@codelibre.net> writes: > >> > libgcrypt has some horrendous bugs which upstream refuse to fix, >> > for example the broken behaviour relating to setuid binaries >> > discussed previously here, and the hard coded behaviour which >> > makes it unsuitable for use in general programs. See >> > >> > "libgcrypt brain dead?" >> > 3c5cf5261003081534s5202413dw4d93c80db1a30...@mail.gmail.com > >> > Until these major issues are fixed, it's simply unusable. > >> It appears to be usable by a lot of projects and people, so that seems >> like an exaggeration. If I have understood Werner correctly, he >> believes that it is the setuid binaries that are broken and should be >> fixed. > > As a comaintainer of openldap, which links to gnutls in Debian for license > reasons, I need to vehemently echo Roger here. sudo most certainly isn't > broken for being setuid, and libgcrypt should definitely not be ripping its > suid privs out from under it, yet this is what happens if using nss_ldap > with an SSL-using LDAP server. > > http://bugs.debian.org/566351 > https://bugs.launchpad.net/bugs/423252 > > Changing the uid of the calling application is *not* an acceptable side > effect for a library and I can't imagine how anyone could believe that it > is. Unfortunately that seems to leave nss_ldap caught between an SSL > implementation with a perverse license, and an SSL implementation whose > upstream has perverse ideas about library handling of process state.
It seems fedora is moving to nss for openldap https://fedoraproject.org/wiki/Test_Day:2010-10-14_OpenLDAP/NSS Have you tested ? Bastien -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTind2XtFLBr5y8_4v=+umfnbzb+...@mail.gmail.com
