Patch to remove zlib.

[Jelmer Vernooij]

On Wed, Jul 09, 2014 at 03:23:27PM -0700, Jeremy Allison wrote:
> On Wed, Jul 09, 2014 at 09:50:36PM +0200, Volker Lendecke wrote:
> > On Mon, Jul 07, 2014 at 12:46:47PM -0400, Ira Cooper wrote:
> > > Note: To apply it  unxz it then use git am --ignore-whitespace , otherwise
> > > you may have issues.  (xz was used to save the list a good bit of space...
> > > it's over 500k gzipped.)
> > > 
> > > As far as why: I listened to metze/vl.  I disagree with them.
> > > 
> > > I believe that third party (non Samba Team developed) libraries do not
> > > belong in the tree.  They are asking for trouble long term, IMHO.
> 
> +1 on this. There have been security vulnerabilities in
> zlib in the past, and we're not updating often enough
> to make sure we're safe.

We first imported zlib in 65c9e91a1bb24851a030a304d011558562cc50d6, which
was in July 2008.

The last zlib security release was in July 2005.
http://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/GNU-Zlib.html

> > > Consider this patch the first step down the path to cleaning up these
> > > libraries.
> > 
> > Please make sure that you can still build the file server,
> > winbind and smbclient without zlib around at all.
> 
> That shouldn't be too hard - just means making
> ndr_push_compression_start() fail I think, and
> it's only used in the ndr_drsuapi.c code which
> isn't used I think by smbd, winbind and smbclient.

If we're going to support two different configurations, I think it
would be easier to support one with system zlib and one with bundled zlib
as we do at the moment, rather than librpc with zlib and without zlib.

Cheers,

Jelmer

-- 
Jelmer Vernooij <jelmer at samba.org> - https://jelmer.co.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140710/fa34affd/attachment.pgp>