Require GnuTLS 3.4.7 for Samba 4.12 in March 2020?

Nico Kadel-Garcia nkadel at gmail.com
Thu Aug 8 12:08:26 UTC 2019 

On Thu, Aug 8, 2019 at 8:06 AM Nico Kadel-Garcia <nkadel at gmail.com> wrote:
>
> On Thu, Aug 8, 2019 at 1:07 AM Andrew Bartlett <abartlet at samba.org> wrote:
> >
> > On Thu, 2019-08-01 at 08:58 +0200, Andreas Schneider wrote:
> > > On Wednesday, July 31, 2019 7:37:10 AM CEST Nico Kadel-Garcia via samba-
> > > technical wrote:
> > > > I only repackage that, I didn't write it, Credit where it's due, and
> > > >
> > > > quoting from the README.md there:
> > > > > > This is based on sergiomb2's work at
> > > > > >
> > > > > >  https://github.com/sergiomb2/SambaAD
> > > >
> > > > So Sergio gets credit. But I'm already using it for RHEL 7/CenbtOS 7.
> > > > I've done some very limited testing with RHEL 8, but am waiting for
> > > > CentOS 8 to finally be released to really test  that.
> > > >
> > > > > > [1] Sadly we couldn't totally remove the Samba AES code, as SMB 2.24
> > > > > > requires AES-CMAC-128, but the impact would be far more constrained.
> > > >
> > > > Fair enough. I'd say accept the requirement of a compatibility library
> > > > for older operating systems, and I'm glad Sergio did most of the work.
> > >
> > > Is there a copr repo with the compat-gnutls34 available somewhere?
> > >
> >
> > Do you mean this:
> >
> > https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/package/compat
> > -gnutls34/
> >
> > Andreas,
> >
> > Can you take charge of getting this into to the CentOS7 image used for
> > CI so we can proceed with this?
> >
> > Thanks,
> >
> > Andrew Bartlett
>
> That's the one I use. I refactored those for my samba4repo.
>
> https://github.com/nkadel/compat-gnutls34-3.x-srpm
>
> You'll also need the compat-nettle32 package, which is a dependency
> for compat-gnutls34.
>
> https://github.com/nkadel/compat-nettle32-3.x-srpm
>
> I'm not sure what you're using for CI. I really have gotten
> comfortable with the "samba4repo" setup I use, where all the libraries
> are in their own git repos and I use git submodules, and I use "mock"
> to provide a full end-to-end build of all the packages in a local
> repo. That is the setup I've mentioned before, at:
>
> https://github.com/nkadel/samba4repo
>
> I'm afraid that whether mock on a particular operating system handles
> a local file:/// repository has been a bit of a crapshoot, to make
> this work on some build hosts I've had to activate a web service to
> enable http:// access to the local repo. My setup includes building
> some nginx.conf.d/ files for providing just that, as well.

And oh, I've not been publishing binaries because I don't have what
I'd consider a well enough sanitized enfironment to publish GPG keys
and binary RPMs from. Not that my worspaces are tainted, just that I'd
like to set up much higher security levels for a production build
host.

More information about the samba-technical mailing list