Getting Samba out of crypto
abartlet at samba.org
Fri Feb 23 18:00:48 UTC 2018
On Fri, 2018-02-23 at 08:24 -0800, Jeremy Allison via samba-technical
> Well previously we depended on in-tree, gnutls and nettle.
> Now we only depend on in-tree and gnutls.
Sure, but that means that for this module, we now must use in-tree
crypto on RHEL 6 and RHEL 7 (for example). That is a step forward for
build simplicity and a step backwards for 'get out of the in-tree
crypto game', which happens when we drop in in-tree crypto, not when we
It depends which was our goal, which is my fundamental question here.
> Eventually we'll get to just gnutls, hopefully with
> Red Hat help.
My point is that this is a very distant eventually, and this patch is
actually a step backwards in that regard.
It might be the right patch, but I want it to be the right patch for
the right reasons, and it seems while we say 'we want out of the crypto
game', we really mean 'we care more about an additional dependency than
getting out of the crypto game'.
The difference matters because if you read the REQUIREMENTS file in
lib/crypto clearly some of our crypto (like DES) won't ever be in
GnuTLS and others are just a ticket, but are in Nettle. I'm asking so
painfully because a clear statement here is something I can then
document more clearly there.
It will also avoid embarrassing situations where a client asks me to
prepare patches to remove in-tree crypto (say of DES and RC4, I realise
the situation around AES is more complex) but once prepared I find them
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical