GNU bug report logs - #34632
[PATCH 0/2] Change from GSS to MIT-KRB5.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#34632: closed ([PATCH 0/2] Change from GSS to MIT-KRB5.)
Date: Tue, 14 May 2019 18:16:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Tue, 14 May 2019 20:15:36 +0200
with message-id <87v9ycaomv.fsf <at> fastmail.com>
and subject line Re: [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
has caused the debbugs.gnu.org bug report #34632,
regarding [PATCH 0/2] Change from GSS to MIT-KRB5.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
34632: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34632
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Marius Bakke <mbakke <at> fastmail.com>
To: guix-patches <at> gnu.org
Subject: [PATCH 0/2] Change from GSS to MIT-KRB5.
Date: Sat, 23 Feb 2019 17:20:42 +0100

The GNU Generic Security Service and friends have been unmaintained for
many years now: <https://www.gnu.org/software/gss/>.

Since these libraries are security-critical, it would be good to switch
to maintained implementations.  WDYT?

Marius Bakke (2):
  gnu: gsasl: Use the MIT Kerberos implementation instead of GSS.
  gnu: curl: Build against MIT Kerberos instead of GSS.

 gnu/packages/curl.scm  | 10 ++++++----
 gnu/packages/gsasl.scm |  4 +++-
 2 files changed, 9 insertions(+), 5 deletions(-)

-- 
2.20.1

[Message part 3 (message/rfc822, inline)]

From: Marius Bakke <mbakke <at> fastmail.com>
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>,
 Leo Famulari <leo <at> famulari.name>
Cc: Ludovic Courtès <ludo <at> gnu.org>, 34632-done <at> debbugs.gnu.org
Subject: Re: [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
Date: Tue, 14 May 2019 20:15:36 +0200

[Message part 4 (text/plain, inline)]

Hi Maxim,

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> Hello,
>
> Leo Famulari <leo <at> famulari.name> writes:
>
>> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>>> Unmaintained on what ground? The website doesn't list fresh news,
>>> but the latest release was made in 2014 [1], and the maintainer has made
>>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>>> there aren't).
>>
>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>> think that, if GSS was being examined to the same degree, we would learn
>> of many serious bugs. Any significant C codebase of this age will have
>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>
>> [0]
>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>
> Just FYI,
>
> I had ping'd the GSS mailing list with this message:
> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
> there haven't been a reply (yet).
>
> So it looks like it was a wise decision to make the switch! Sorry for
> doubting, eh!

Thank you very much for checking with upstream :-)

I was on the fence about this switch myself, and submitted this patch
hoping for feedback along these lines.

It would be great to get Shishi and GSS into Googles OSS-Fuzz and
similar so that we can be more confident in the implementation.

For now I've pushed these patches in 996186b..828d376.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.