GnuTLS for samba-4.12.x on RHEL7 / CentOS 7: encourage or discourage?
Andreas Schneider
asn at samba.org
Thu Jun 18 05:58:47 UTC 2020
On Thursday, 18 June 2020 06:11:18 CEST Andrew Bartlett via samba-technical
wrote:
> On Thu, 2020-06-18 at 04:46 +0100, Sérgio Basto via samba wrote:
> > On Thu, 2020-06-18 at 14:43 +1200, Andrew Bartlett via samba wrote:
> > > If we could get an even more modern version then we can consider
> > > removing even more duplicate in-house cryptography.
> >
> > Thank you , glad to help .
> >
> > You mean do compat-gnutls36 packages ? IIRC, already when I tried to
> > build gnutls-3.5, I found that we need to update and build many more
> > package dependencies ...
>
> Thanks for that extra information. I wondered what the issue was.
>
> Now, the big question I wanted to ask you is this:
>
> It is one thing to give us a really big helping hand for development,
> but I wondered how comfortable are you with being the repository for a
> security-sensitive package being used significant number of production
> Samba sites?
>
> Do you have the resources to ensure that if GnuTLS issues a security
> advisory impacting GnuTLS 3.4 that you backport the patches? I notice
> a number of issues here: https://www.gnutls.org/security-new.html
>
> Or should we instead strongly discourage the use of Samba 4.12,
> particularly as an AD DC (because the LDAP server exposes TLS, which
> seems to be a more likely target), on RHEL7 / CentOS 7?
>
> (We would instead suggest that an upgrade to RHEL8 / CentOS 8 instead).
You should upgrade to RHEL8 or CentOS8 which offers a modern GnuTLS library.
Especially because GnuTLS in RHEL8 will either be rebased to newer versions or
patches will be backported required by Samba.
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list