Getting Samba out of crypto

Andrew Bartlett abartlet at samba.org
Fri Feb 23 18:00:48 UTC 2018


On Fri, 2018-02-23 at 08:24 -0800, Jeremy Allison via samba-technical
wrote:
> 
> Well previously we depended on in-tree, gnutls and nettle.
> Now we only depend on in-tree and gnutls.

Sure, but that means that for this module, we now must use in-tree
crypto on RHEL 6 and RHEL 7 (for example).  That is a step forward for
build simplicity and a step backwards for 'get out of the in-tree
crypto game', which happens when we drop in in-tree crypto, not when we
drop nettle.

It depends which was our goal, which is my fundamental question here. 

> Eventually we'll get to just gnutls, hopefully with
> Red Hat help.

My point is that this is a very distant eventually, and this patch is
actually a step backwards in that regard.

It might be the right patch, but I want it to be the right patch for
the right reasons, and it seems while we say 'we want out of the crypto
game', we really mean 'we care more about an additional dependency than
getting out of the crypto game'.  

The difference matters because if you read the REQUIREMENTS file in
lib/crypto clearly some of our crypto (like DES) won't ever be in
GnuTLS and others are just a ticket, but are in Nettle.  I'm asking so
painfully because a clear statement here is something I can then
document more clearly there.  

It will also avoid embarrassing situations where a client asks me to
prepare patches to remove in-tree crypto (say of DES and RC4, I realise
the situation around AES is more complex) but once prepared I find them
rightly rejected.

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list