Getting Samba out of crypto

Andrew Bartlett abartlet at
Fri Feb 23 18:00:48 UTC 2018

On Fri, 2018-02-23 at 08:24 -0800, Jeremy Allison via samba-technical
> Well previously we depended on in-tree, gnutls and nettle.
> Now we only depend on in-tree and gnutls.

Sure, but that means that for this module, we now must use in-tree
crypto on RHEL 6 and RHEL 7 (for example).  That is a step forward for
build simplicity and a step backwards for 'get out of the in-tree
crypto game', which happens when we drop in in-tree crypto, not when we
drop nettle.

It depends which was our goal, which is my fundamental question here. 

> Eventually we'll get to just gnutls, hopefully with
> Red Hat help.

My point is that this is a very distant eventually, and this patch is
actually a step backwards in that regard.

It might be the right patch, but I want it to be the right patch for
the right reasons, and it seems while we say 'we want out of the crypto
game', we really mean 'we care more about an additional dependency than
getting out of the crypto game'.  

The difference matters because if you read the REQUIREMENTS file in
lib/crypto clearly some of our crypto (like DES) won't ever be in
GnuTLS and others are just a ticket, but are in Nettle.  I'm asking so
painfully because a clear statement here is something I can then
document more clearly there.  

It will also avoid embarrassing situations where a client asks me to
prepare patches to remove in-tree crypto (say of DES and RC4, I realise
the situation around AES is more complex) but once prepared I find them
rightly rejected.


Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list