Hi Alexander, On Wed, Jan 03, 2024 at 06:00:38PM +0100, Marc Haber wrote: > thanks for your patch. I am indeed reluctant to have OpenSSL added as a > dependency to sudo. This might open a can of worms; other team members > might give their opinion here as well.
Now with sudo-ldap gone, I revisited the issue recently. It looks like sudo_sendlog and sudo_logsrvd are already linked against OpenSSL: $ ldd /usr/sbin/sudo_sendlog | grep -i ssl libssl.so.3 => /usr/lib/x86_64-linux-gnu/libssl.so.3 (0x00007fef89645000) $ ldd /usr/sbin/sudo_logsrvd | grep -i ssl libssl.so.3 => /usr/lib/x86_64-linux-gnu/libssl.so.3 (0x00007f50e6bd2000) $ and I was able to verify that sudo_sendlog is actually talking encrypted to sudo_logsrvd. So we are already pulling in OpenSSL with the current package, right? I stumble a bit over the word "directly" in your bug report. I apologize for my ignorance. Is this entire bug report about linking the actual /usr/bin/sudo against OpenSSL so that sudo can send its logs directly to the log server without first writing a local log and without using sudo_sendlog? Greetings Marc
