Getting Samba out of crypto

Jeremy Allison jra at samba.org
Fri Feb 23 18:18:34 UTC 2018 

On Sat, Feb 24, 2018 at 07:00:48AM +1300, Andrew Bartlett wrote:
> On Fri, 2018-02-23 at 08:24 -0800, Jeremy Allison via samba-technical
> wrote:
> > 
> > Well previously we depended on in-tree, gnutls and nettle.
> > Now we only depend on in-tree and gnutls.
> 
> Sure, but that means that for this module, we now must use in-tree
> crypto on RHEL 6 and RHEL 7 (for example).  That is a step forward for
> build simplicity and a step backwards for 'get out of the in-tree
> crypto game', which happens when we drop in in-tree crypto, not when we
> drop nettle.
> 
> It depends which was our goal, which is my fundamental question here. 
> 
> > Eventually we'll get to just gnutls, hopefully with
> > Red Hat help.
> 
> My point is that this is a very distant eventually, and this patch is
> actually a step backwards in that regard.
> 
> It might be the right patch, but I want it to be the right patch for
> the right reasons, and it seems while we say 'we want out of the crypto
> game', we really mean 'we care more about an additional dependency than
> getting out of the crypto game'.  

I think those two statements are not long-term contradictory,
although maybe in the short term.

From the discussions on the lists, IMHO we have decided upong
gnutls as *the* crytpto library we want to end up depending on.

If there are things we need that are not in gnutls (DES etc.),
we will have to carry these for as long as we need them.

But adding intermediate libraries like nettle to get around
current difficiencies in gnutls is adding short-term complexity
and incurring long-term technical debt. gnutls may depend on nettle itself,
but we don't want to have to care about or even know about that.

Right now this patch puts us in the better (IMHO) position
of depending on in-tree and gnutls only. As gnutls improves,
we remove more of our in-tree until eventually we end up with
only legacy (DES) in tree, and everything else being gnutls.

Then we truely are (mostly) out of the crypto game.

I don't want any more mix-and-match, boutique crypto libraries
added. If we need something, work with Red Hat, SuSE and Debian to get
it into gnutls.

More information about the samba-technical mailing list