Require GnuTLS 3.4.7 for Samba 4.12 in March 2020?

Nico Kadel-Garcia nkadel at gmail.com
Wed Jul 31 05:33:09 UTC 2019


On Wed, Jul 31, 2019 at 12:27 AM Andrew Bartlett via samba-technical
<samba-technical at lists.samba.org> wrote:
>
> I'm reviewing "Use GnuTLS AES ciphers if supported by the installed
> GnuTLS version" for Andreas.
>
> https://gitlab.com/samba-team/samba/merge_requests/669
>
> The one thing I really don't like is the #ifdef on HAVE_GNUTLS_AEAD.  I
> would prefer we just chose to rely on GnuTLS. [1]
>
> Duplicated code is bad, duplicated crypto code is particularly bad and
> I would really like to remove our existing duplicates rather than add
> more.
>
> Not only are we short on maintainece resources, we would also need to
> restructure our testuite to force a non-GnuTLS build to ensure we
> actually test this at all.
>
> In doing so I know many folks really like running current Samba (both
> as an AD DC and fileserver) on older enterprise distributions.
>
> In this case, RHEL 8, Ubuntu 16.04 and current debian stable
> all have GnuTLS versions later than 3.4.7.
>
> So, what do folks think?  This would be for Samba 4.12 to be released
> in March 2020.
>
> To see how much can be removed, I'm exploring the idea in this WIP MR:
> https://gitlab.com/samba-team/samba/merge_requests/676
>
> Note, for CentOS 7 and earlier it may be possible to use
> https://github.com/nkadel/compat-gnutls34-3.x-srpm
>
> Andrew Bartlett
>
> [1] Sadly we couldn't totally remove the Samba AES code, as SMB 2.24
> requires AES-CMAC-128, but the impact would be far more constrained.
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>



More information about the samba-technical mailing list