GnuTLS for samba-4.12.x on RHEL7 / CentOS 7: encourage or discourage?

Andrew Bartlett abartlet at samba.org
Thu Jun 18 04:11:18 UTC 2020


On Thu, 2020-06-18 at 04:46 +0100, Sérgio Basto via samba wrote:
> On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba wrote:
> > If we could get an even more modern version then we can consider
> > removing even more duplicate in-house cryptography. 
> 
> Thank you , glad to help .
> 
> You mean do compat-gnutls36 packages ? IIRC, already when I tried to
> build gnutls-3.5, I found that we need to update and build many more
> package dependencies ...

Thanks for that extra information.  I wondered what the issue was.

Now, the big question I wanted to ask you is this:

It is one thing to give us a really big helping hand for development,
but I wondered how comfortable are you with being the repository for a
security-sensitive package being used significant number of production
Samba sites?

Do you have the resources to ensure that if GnuTLS issues a security
advisory impacting GnuTLS 3.4 that you backport the patches?  I notice
a number of issues here:  https://www.gnutls.org/security-new.html

Or should we instead strongly discourage the use of Samba 4.12,
particularly as an AD DC (because the LDAP server exposes TLS, which
seems to be a more likely target), on RHEL7 / CentOS 7?

(We would instead suggest that an upgrade to RHEL8 / CentOS 8 instead).

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba






More information about the samba-technical mailing list