Werner Koch wrote:
On Thu, 18 Apr 2013 20:40, clo...@igalia.com said:
I see two options to get this fixed for Wheezy:
[Option 1] -- Do the same that Ubuntu did. That is:
1.a) Patch libgcrypt to revert commit
d769529a71ccda4e833f919f3c5693d25b005ff0
Urgs. That is a short sighted fix.
[Option 2] -- Patch OpenLDAP to set the flag GCRYCTL_DISABLE_SECMEM if
GCRYCTL_INITIALIZATION_FINISHED is false. This is the patch I previously
proposed at http://bugs.debian.org/368297#135
That is the most correct solution.
Excuse me? By what measure is this correct? Certainly not by any published
official documentation.
Any application (not library) which
wants to use that mlock protected memory (aka secure memory) needs to
make sure that libgcrypt has been initialized correctly. Thus if the
application does not do that and a library wants to to its own thing,
that library should do it in the above way.
The OpenLDAP library doesn't want one thing or another at all. It simply is
expected to use GnuTLS on Debian and it initializes it as documented.
Frankly, speaking for the OpenLDAP Project, what we want is to delete all
support for GnuTLS. It is, like Mozilla NSS, a poorly designed API with
requirements that are impossible to satisfy in the real world, and more
trouble than it's worth.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
