From: help-gss--- via <guix-patches@gnu.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: 34632@debbugs.gnu.org, help-gss@gnu.org
Subject: [bug#34632] GSS development status
Date: Sat, 06 Aug 2022 16:02:31 +0200 [thread overview]
Message-ID: <87r11ttqq0.fsf@latte.josefsson.org> (raw)
In-Reply-To: <87o968i9gh.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 18 Mar 2019 09:43:58 -0400")
[-- Attachment #1: Type: text/plain, Size: 1981 bytes --]
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> Hello,
>
> I'd like to inquire about the development status of GSS? Has it left the
> beta status? Are bugs still being fixed? Is there any known or presumed
> security issues when using GSS rather than its more mainstream
> implementation in MIT Kerberos?
>
> I'm asking because the GNU Guix project is considering a switch from GNU
> GSS to MIT krb5 for security reasons [0], given that no new releases have
> been made since 2014.
>
> Thank you,
>
> Maxim Cournoyer
>
> [0] http://issues.guix.info/issue/34632
Hi Maxim,
Sorry for the slow response, which may in part be an answer to your
question. However I have just released GNU GSS version 1.0.4 to refresh
the project, and have setup CI/CD checking of it to pave the road for
future improvements. To my knowledge there are only two major missing
features:
1) Missing gss_wrap() AES functionality. This prevents SASL GSS-API
to complete on modern machines. Shishi supports AES and GSSLib
supports it for GSS_Init_sec_context etc but not GSS_wrap.
2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and
Heimdal.
I hope to complete 1) in the future. For 2), fixing it would be a GNU
Shishi feature that should be simple to resolve -- it ships with tools
ccache2shishi and keytab2shishi to convert the files, but that should be
done automatically internally by the library instead.
Indeed getting these enrolled in the OSS Fuzz project would be a great
contribution. My primary goal is to do a new release of GNU Shishi and
improve the CI/CD integration checks to have good confidence in future
changes.
Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix,
I believe it would be much nicer if you would use the 'Libgssglue'
package instead! Then the user can change GSS-API library at run-time.
Read about this work here:
https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/
/Simon
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 255 bytes --]
next parent reply other threads:[~2022-08-06 16:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87o968i9gh.fsf@gmail.com>
2022-08-06 14:02 ` help-gss--- via [this message]
2022-08-10 0:48 ` [bug#34632] GSS development status Maxim Cournoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r11ttqq0.fsf@latte.josefsson.org \
--to=guix-patches@gnu.org \
--cc=34632@debbugs.gnu.org \
--cc=help-gss@gnu.org \
--cc=maxim.cournoyer@gmail.com \
--cc=simon@josefsson.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).