* [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
@ 2019-02-23 16:20 Marius Bakke
2019-02-23 16:23 ` [bug#34632] [PATCH 1/2] gnu: gsasl: Use the MIT Kerberos implementation instead of GSS Marius Bakke
2019-02-26 4:58 ` [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5 Leo Famulari
0 siblings, 2 replies; 10+ messages in thread
From: Marius Bakke @ 2019-02-23 16:20 UTC (permalink / raw)
To: 34632
The GNU Generic Security Service and friends have been unmaintained for
many years now: <https://www.gnu.org/software/gss/>.
Since these libraries are security-critical, it would be good to switch
to maintained implementations. WDYT?
Marius Bakke (2):
gnu: gsasl: Use the MIT Kerberos implementation instead of GSS.
gnu: curl: Build against MIT Kerberos instead of GSS.
gnu/packages/curl.scm | 10 ++++++----
gnu/packages/gsasl.scm | 4 +++-
2 files changed, 9 insertions(+), 5 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#34632] [PATCH 1/2] gnu: gsasl: Use the MIT Kerberos implementation instead of GSS.
2019-02-23 16:20 [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5 Marius Bakke
@ 2019-02-23 16:23 ` Marius Bakke
2019-02-23 16:23 ` [bug#34632] [PATCH core-updates 2/2] gnu: curl: Build against MIT Kerberos " Marius Bakke
2019-02-26 4:58 ` [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5 Leo Famulari
1 sibling, 1 reply; 10+ messages in thread
From: Marius Bakke @ 2019-02-23 16:23 UTC (permalink / raw)
To: 34632
* gnu/packages/gsasl.scm (gsasl)[inputs]: Change from GSS to MIT-KRB5.
[arguments]: New field.
---
gnu/packages/gsasl.scm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/gsasl.scm b/gnu/packages/gsasl.scm
index 127b476ef3..9296f3d80f 100644
--- a/gnu/packages/gsasl.scm
+++ b/gnu/packages/gsasl.scm
@@ -95,9 +95,11 @@ the underlying security implementation.")
(("test-lock\\$\\(EXEEXT\\) ") ""))
#t))))
(build-system gnu-build-system)
+ (arguments
+ `(#:configure-flags '("--with-gssapi-impl=mit")))
(inputs `(("libidn" ,libidn)
("libntlm" ,libntlm)
- ("gss" ,gss)
+ ("mit-krb5" ,mit-krb5)
("zlib" ,zlib)))
(propagated-inputs
;; Propagate GnuTLS because libgnutls.la reads `-lnettle', and Nettle is a
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#34632] [PATCH core-updates 2/2] gnu: curl: Build against MIT Kerberos instead of GSS.
2019-02-23 16:23 ` [bug#34632] [PATCH 1/2] gnu: gsasl: Use the MIT Kerberos implementation instead of GSS Marius Bakke
@ 2019-02-23 16:23 ` Marius Bakke
0 siblings, 0 replies; 10+ messages in thread
From: Marius Bakke @ 2019-02-23 16:23 UTC (permalink / raw)
To: 34632
* gnu/packages/curl.scm (curl)[inputs]: Change from GSS to MIT-KRB5.
[arguments]: Adjust accordingly.
---
gnu/packages/curl.scm | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index b1b2b999a2..88abc6aabd 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -37,8 +37,8 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages golang)
#:use-module (gnu packages groff)
- #:use-module (gnu packages gsasl)
#:use-module (gnu packages guile)
+ #:use-module (gnu packages kerberos)
#:use-module (gnu packages libidn)
#:use-module (gnu packages openldap)
#:use-module (gnu packages perl)
@@ -63,10 +63,10 @@
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
(inputs `(("gnutls" ,gnutls)
- ("gss" ,gss)
("libidn" ,libidn)
("libssh2" ,libssh2)
("openldap" ,openldap)
+ ("mit-krb5" ,mit-krb5)
("nghttp2" ,nghttp2 "lib")
("zlib" ,zlib)))
(native-inputs
@@ -85,8 +85,10 @@
(separator #f) ;single entry
(files '("etc/ssl/certs/ca-certificates.crt")))))
(arguments
- `(#:configure-flags '("--with-gnutls" "--with-gssapi"
- "--disable-static")
+ `(#:configure-flags (list "--with-gnutls"
+ (string-append "--with-gssapi="
+ (assoc-ref %build-inputs "mit-krb5"))
+ "--disable-static")
;; Add a phase to patch '/bin/sh' occurances in tests/runtests.pl
#:phases
(modify-phases %standard-phases
--
2.20.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
2019-02-23 16:20 [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5 Marius Bakke
2019-02-23 16:23 ` [bug#34632] [PATCH 1/2] gnu: gsasl: Use the MIT Kerberos implementation instead of GSS Marius Bakke
@ 2019-02-26 4:58 ` Leo Famulari
2019-03-15 22:14 ` Ludovic Courtès
1 sibling, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2019-02-26 4:58 UTC (permalink / raw)
To: Marius Bakke; +Cc: 34632
[-- Attachment #1: Type: text/plain, Size: 348 bytes --]
On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
> The GNU Generic Security Service and friends have been unmaintained for
> many years now: <https://www.gnu.org/software/gss/>.
>
> Since these libraries are security-critical, it would be good to switch
> to maintained implementations. WDYT?
I think it's the right choice.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
2019-02-26 4:58 ` [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5 Leo Famulari
@ 2019-03-15 22:14 ` Ludovic Courtès
2019-03-16 3:43 ` Maxim Cournoyer
0 siblings, 1 reply; 10+ messages in thread
From: Ludovic Courtès @ 2019-03-15 22:14 UTC (permalink / raw)
To: Leo Famulari; +Cc: 34632
Hello,
Leo Famulari <leo@famulari.name> skribis:
> On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
>> The GNU Generic Security Service and friends have been unmaintained for
>> many years now: <https://www.gnu.org/software/gss/>.
>>
>> Since these libraries are security-critical, it would be good to switch
>> to maintained implementations. WDYT?
>
> I think it's the right choice.
Yeah, it’s a bit sad IMO, but so be it.
Note that “guix refresh -l gss” says 4K packages depend on it,
not sure why.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
2019-03-15 22:14 ` Ludovic Courtès
@ 2019-03-16 3:43 ` Maxim Cournoyer
2019-03-17 18:27 ` Leo Famulari
0 siblings, 1 reply; 10+ messages in thread
From: Maxim Cournoyer @ 2019-03-16 3:43 UTC (permalink / raw)
To: mbakke; +Cc: 34632
Hello!
On Sat, Feb 23, 2019 at 05:20:42PM +0100, Marius Bakke wrote:
> The GNU Generic Security Service and friends have been unmaintained for
> many years now: <https://www.gnu.org/software/gss/>.
>
> Since these libraries are security-critical, it would be good to switch
> to maintained implementations. WDYT?
Unmaintained on what ground? The website doesn't list fresh news,
but the latest release was made in 2014 [1], and the maintainer has made
changes to the Debian package last time in 2017 [2]. I wouldn't say it's
unmaintained until the maintainer says so or CVEs pile up unfixed (which
there aren't).
So, my position would be to not do anything, as there doesn't seem to be
an issue.
Maxim
[1] ftp://ftp.gnu.org/gnu/gss/
[2] https://sources.debian.org/src/gss/1.0.3-3/debian/changelog/
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
2019-03-16 3:43 ` Maxim Cournoyer
@ 2019-03-17 18:27 ` Leo Famulari
2019-05-14 3:17 ` Maxim Cournoyer
0 siblings, 1 reply; 10+ messages in thread
From: Leo Famulari @ 2019-03-17 18:27 UTC (permalink / raw)
To: Maxim Cournoyer; +Cc: 34632
[-- Attachment #1: Type: text/plain, Size: 716 bytes --]
On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
> Unmaintained on what ground? The website doesn't list fresh news,
> but the latest release was made in 2014 [1], and the maintainer has made
> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
> unmaintained until the maintainer says so or CVEs pile up unfixed (which
> there aren't).
Considering the rate of vulnerability discovery in MIT Kerberos [0] I
think that, if GSS was being examined to the same degree, we would learn
of many serious bugs. Any significant C codebase of this age will have
such bugs. But unfortunately GSS hasn't received as much scrutiny.
[0]
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
2019-03-17 18:27 ` Leo Famulari
@ 2019-05-14 3:17 ` Maxim Cournoyer
2019-05-14 18:15 ` bug#34632: " Marius Bakke
0 siblings, 1 reply; 10+ messages in thread
From: Maxim Cournoyer @ 2019-05-14 3:17 UTC (permalink / raw)
To: Leo Famulari; +Cc: 34632
Hello,
Leo Famulari <leo@famulari.name> writes:
> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>> Unmaintained on what ground? The website doesn't list fresh news,
>> but the latest release was made in 2014 [1], and the maintainer has made
>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>> there aren't).
>
> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
> think that, if GSS was being examined to the same degree, we would learn
> of many serious bugs. Any significant C codebase of this age will have
> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>
> [0]
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
Just FYI,
I had ping'd the GSS mailing list with this message:
http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
there haven't been a reply (yet).
So it looks like it was a wise decision to make the switch! Sorry for
doubting, eh!
Maxim
^ permalink raw reply [flat|nested] 10+ messages in thread
* bug#34632: [PATCH 0/2] Change from GSS to MIT-KRB5.
2019-05-14 3:17 ` Maxim Cournoyer
@ 2019-05-14 18:15 ` Marius Bakke
2019-05-15 23:06 ` [bug#34632] " Maxim Cournoyer
0 siblings, 1 reply; 10+ messages in thread
From: Marius Bakke @ 2019-05-14 18:15 UTC (permalink / raw)
To: Maxim Cournoyer, Leo Famulari; +Cc: 34632-done
[-- Attachment #1: Type: text/plain, Size: 1489 bytes --]
Hi Maxim,
Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:
> Hello,
>
> Leo Famulari <leo@famulari.name> writes:
>
>> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>>> Unmaintained on what ground? The website doesn't list fresh news,
>>> but the latest release was made in 2014 [1], and the maintainer has made
>>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>>> there aren't).
>>
>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>> think that, if GSS was being examined to the same degree, we would learn
>> of many serious bugs. Any significant C codebase of this age will have
>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>
>> [0]
>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>
> Just FYI,
>
> I had ping'd the GSS mailing list with this message:
> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
> there haven't been a reply (yet).
>
> So it looks like it was a wise decision to make the switch! Sorry for
> doubting, eh!
Thank you very much for checking with upstream :-)
I was on the fence about this switch myself, and submitted this patch
hoping for feedback along these lines.
It would be great to get Shishi and GSS into Googles OSS-Fuzz and
similar so that we can be more confident in the implementation.
For now I've pushed these patches in 996186b..828d376.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
2019-05-14 18:15 ` bug#34632: " Marius Bakke
@ 2019-05-15 23:06 ` Maxim Cournoyer
0 siblings, 0 replies; 10+ messages in thread
From: Maxim Cournoyer @ 2019-05-15 23:06 UTC (permalink / raw)
To: Marius Bakke; +Cc: 34632-done
Hello Marius,
Marius Bakke <mbakke@fastmail.com> writes:
[...]
>>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>>> think that, if GSS was being examined to the same degree, we would learn
>>> of many serious bugs. Any significant C codebase of this age will have
>>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>>
>>> [0]
>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>>
>> Just FYI,
>>
>> I had ping'd the GSS mailing list with this message:
>> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
>> there haven't been a reply (yet).
>>
>> So it looks like it was a wise decision to make the switch! Sorry for
>> doubting, eh!
>
> Thank you very much for checking with upstream :-)
>
> I was on the fence about this switch myself, and submitted this patch
> hoping for feedback along these lines.
>
> It would be great to get Shishi and GSS into Googles OSS-Fuzz and
> similar so that we can be more confident in the implementation.
Would it be possible to add a fuzz phase to our GNU build system? If
it's not too expensive to run, it could be a security enhancer for the
Guix System! AFL (which is one of the two fuzzers used by Google's
OSS-fuzz service, and which we already have in Guix).
Food for thoughts!
> For now I've pushed these patches in 996186b..828d376.
Thank you,
Maxim
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-05-15 23:07 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-23 16:20 [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5 Marius Bakke
2019-02-23 16:23 ` [bug#34632] [PATCH 1/2] gnu: gsasl: Use the MIT Kerberos implementation instead of GSS Marius Bakke
2019-02-23 16:23 ` [bug#34632] [PATCH core-updates 2/2] gnu: curl: Build against MIT Kerberos " Marius Bakke
2019-02-26 4:58 ` [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5 Leo Famulari
2019-03-15 22:14 ` Ludovic Courtès
2019-03-16 3:43 ` Maxim Cournoyer
2019-03-17 18:27 ` Leo Famulari
2019-05-14 3:17 ` Maxim Cournoyer
2019-05-14 18:15 ` bug#34632: " Marius Bakke
2019-05-15 23:06 ` [bug#34632] " Maxim Cournoyer
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).