From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id AGxNBYUA82KC9QAAbAwnHQ (envelope-from ) for ; Wed, 10 Aug 2022 02:49:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 6EY/BYUA82KoFAEA9RJhRA (envelope-from ) for ; Wed, 10 Aug 2022 02:49:09 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DD0C52D4F1 for ; Wed, 10 Aug 2022 02:49:08 +0200 (CEST) Received: from localhost ([::1]:37138 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oLZuF-00036I-U9 for larch@yhetil.org; Tue, 09 Aug 2022 20:49:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41082) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oLZuA-00036A-7D for guix-patches@gnu.org; Tue, 09 Aug 2022 20:49:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55785) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oLZu9-0004LL-UX for guix-patches@gnu.org; Tue, 09 Aug 2022 20:49:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oLZu9-0008HU-QH for guix-patches@gnu.org; Tue, 09 Aug 2022 20:49:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#34632] GSS development status Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 10 Aug 2022 00:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 34632 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Simon Josefsson Cc: 34632@debbugs.gnu.org, help-gss@gnu.org Received: via spool by 34632-submit@debbugs.gnu.org id=B34632.166009249331752 (code B ref 34632); Wed, 10 Aug 2022 00:49:01 +0000 Received: (at 34632) by debbugs.gnu.org; 10 Aug 2022 00:48:13 +0000 Received: from localhost ([127.0.0.1]:45534 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oLZtN-0008G1-Ay for submit@debbugs.gnu.org; Tue, 09 Aug 2022 20:48:13 -0400 Received: from mail-qv1-f42.google.com ([209.85.219.42]:38792) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oLZtK-0008FF-Jj for 34632@debbugs.gnu.org; Tue, 09 Aug 2022 20:48:11 -0400 Received: by mail-qv1-f42.google.com with SMTP id l8so5183871qvr.5 for <34632@debbugs.gnu.org>; Tue, 09 Aug 2022 17:48:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:from:to:cc; bh=KOqpbvaKjjbFsITqGBcvJADxzM5RBzTKsY6ZDo4qT90=; b=Z0nq2DeYODCGCQfYd6UTvlSuRS9YsIcx5AMrXN9jZaRYl+TI+eyEExc+n4/IH32CnV IOFspvKill/A/E/HV2VAhZ1L3aM+UQ3YuhCpWQO5VUBR+lncn3yCVrwmG3/Cws1s9m+u 4bAd16mYRi9MJdIxlcdZBJwY/RdAHIX5uvBJxsI9dBz2OY1Ix3HuELv7WmZEWmxnx9fs TBfkSnKTUxt5PV15dbeBL2xQmK8HS30RjnjsJIxM4Wqb2O1EAY4mLFedSjpPUySTRcCr DVtd7MRtWQ+wEmDZLvxyYtW2zA1qapPo/VdnJQW5QbXAtoK16/c3Obtn3ajMeg462mLQ SZFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:message-id:in-reply-to:date:references :subject:cc:to:from:x-gm-message-state:from:to:cc; bh=KOqpbvaKjjbFsITqGBcvJADxzM5RBzTKsY6ZDo4qT90=; b=MvI7e34rCSlSx3l1QA7fuAZ0g+u9OEdRC1mfFLzvSGX+AXmiG96CbqTge9gygT2otY oHYDMr88F3M10vXV076OttvKVkpmqL1zuXHGpJy8kh6qDttc2Vt2QJ6r5xxaTvOOT6PO V45u0O2u4afdC+Ql+BbOnsuIlkwZRk4/QXEWkz/2NvjiP9+Uce78mBeuw+EbPoVcFmie s/edHuS//HJpUBH81Bd0aA9gHpwMS9fCtJbELHy/DI77KOPCTPr0bOr1q4opng7ezoKk zbfFB6vTP0CIg5KeyBvE40SlgIToa8BCZOFOdmPuV6fsiPdPdIKfP9AwyxDEaAnlT6Of Lq9g== X-Gm-Message-State: ACgBeo3kW1FHBeR2wSwf9Wh5hw+j6cZGROcNk94rJIVUcBmKO1jBBK/Q TGSNHNuApmLn4Jb7f3kyi7fJIC/wYes= X-Google-Smtp-Source: AA6agR6DOuXW6LGWADX1776ga6DOW9IeG1wyNHc5esCTHp5rmnIMNrOk2kTHwKfK3MtwFXPEZQdimg== X-Received: by 2002:a05:6214:2aae:b0:476:b97e:1c1e with SMTP id js14-20020a0562142aae00b00476b97e1c1emr21954577qvb.126.1660092484950; Tue, 09 Aug 2022 17:48:04 -0700 (PDT) Received: from hurd (dsl-10-135-11.b2b2c.ca. [72.10.135.11]) by smtp.gmail.com with ESMTPSA id e8-20020ac86708000000b0031ee01443b4sm10716874qtp.74.2022.08.09.17.48.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Aug 2022 17:48:04 -0700 (PDT) From: Maxim Cournoyer References: <87o968i9gh.fsf@gmail.com> <87r11ttqq0.fsf@latte.josefsson.org> Date: Tue, 09 Aug 2022 20:48:03 -0400 In-Reply-To: <87r11ttqq0.fsf@latte.josefsson.org> (Simon Josefsson's message of "Sat, 06 Aug 2022 16:02:31 +0200") Message-ID: <877d3gorek.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1660092548; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=KOqpbvaKjjbFsITqGBcvJADxzM5RBzTKsY6ZDo4qT90=; b=FP0mi/6r4iUx7uG7jZr6mGACsi5OqwBHMe4T6Dk2CDdtp4AG+Pf8m8hslaxruwFCN3rdrM VOeDXKhf7CWU8eOi0s7arvB5NiWFdrU8RWSCnCUfhFy+QqTx59hH/8Luo9ahf4TP7OxYu3 4bX6FKq7q5h64Avl91M4mEsdjpqCiSN6nSsmNZQtUCB5KhqHYKhO0bQF5hVJWogk28DewH vY8Dimq7V1yXJ91cr8L4I998aK0ma/Dz2vndC4x1ApOYAPQH6ihBj/ZimyLzYy2fagnzAu Fl4o8pEQsUB/uv+7/3tkl2TTOJGfJIzeMxUKai4gdIGvhMm5Q07wO4waYY6jHA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1660092548; a=rsa-sha256; cv=none; b=BSnJI1R0Ll6asTbipZt4qkJKWx0lskU+z4qfqMbmhLep5xHdiAdhMZwplmmIXqtvZKep7a xDGMQjDtPMcRJtEmpsFJuMBbXzbSUoKJK28lIuqJOE7cA6emNg2/qX56mV4x7myxflN5gB IkKD7UUZKok2gGgNbzSvfi4/947xFGvHZXwceoLT3jqOf0XKcT+GTTcgHG4XpWfA7lCNfg KcbaORi2TlfoXWn//tAICiZSq/VhUGeExUxV2Iv9mml0084wKI4Ce3mp+DC4FnzpV/41tc rarrhYF267naC0EA8o1GNVfrpQm7dO1T3eny93NkM3NPd6SrxjPRnCxFQF4Zmg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Z0nq2DeY; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 5.31 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Z0nq2DeY; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: DD0C52D4F1 X-Spam-Score: 5.31 X-Migadu-Scanner: scn0.migadu.com X-TUID: do071HHdqKCy Hi Simon, Simon Josefsson writes: > Maxim Cournoyer writes: > >> Hello, >> >> I'd like to inquire about the development status of GSS? Has it left the >> beta status? Are bugs still being fixed? Is there any known or presumed >> security issues when using GSS rather than its more mainstream >> implementation in MIT Kerberos? >> >> I'm asking because the GNU Guix project is considering a switch from GNU >> GSS to MIT krb5 for security reasons [0], given that no new releases have >> been made since 2014. >> >> Thank you, >> >> Maxim Cournoyer >> >> [0] http://issues.guix.info/issue/34632 > > Hi Maxim, > > Sorry for the slow response, which may in part be an answer to your > question. However I have just released GNU GSS version 1.0.4 to refresh > the project, and have setup CI/CD checking of it to pave the road for > future improvements. To my knowledge there are only two major missing > features: > > 1) Missing gss_wrap() AES functionality. This prevents SASL GSS-API > to complete on modern machines. Shishi supports AES and GSSLib > supports it for GSS_Init_sec_context etc but not GSS_wrap. > > 2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and > Heimdal. > > I hope to complete 1) in the future. For 2), fixing it would be a GNU > Shishi feature that should be simple to resolve -- it ships with tools > ccache2shishi and keytab2shishi to convert the files, but that should be > done automatically internally by the library instead. > > Indeed getting these enrolled in the OSS Fuzz project would be a great > contribution. My primary goal is to do a new release of GNU Shishi and > improve the CI/CD integration checks to have good confidence in future > changes. > > Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix, > I believe it would be much nicer if you would use the 'Libgssglue' > package instead! Then the user can change GSS-API library at run-time. > Read about this work here: > > https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/ Thank you for this update! I'm happy to read you are picking up maintenance of GSS. The libgssglue is interesting... I'll have to read about it to know how it's intended to be used. Thanks, and long live GNU GSS! Maxim