From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([209.51.188.92]:60156)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hR2zI-0001is-VK
	for guix-patches@gnu.org; Wed, 15 May 2019 19:07:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hR2zH-000854-3s
	for guix-patches@gnu.org; Wed, 15 May 2019 19:07:04 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:40079)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1hR2zG-00083w-Et
	for guix-patches@gnu.org; Wed, 15 May 2019 19:07:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hR2zG-0004sX-89
	for guix-patches@gnu.org; Wed, 15 May 2019 19:07:02 -0400
Subject: [bug#34632] [PATCH 0/2] Change from GSS to MIT-KRB5.
Resent-Message-ID: <handler.34632.D34632.155796161718741@debbugs.gnu.org>
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
References: <20190223162042.18168-1-mbakke@fastmail.com>
	<20190226045813.GA29580@jasmine.lan> <87tvg323ak.fsf@gnu.org>
	<87o96bqyap.fsf@gmail.com> <20190317182705.GD1410@jasmine.lan>
	<87o9457miq.fsf@gmail.com> <87v9ycaomv.fsf@fastmail.com>
Date: Wed, 15 May 2019 19:06:47 -0400
In-Reply-To: <87v9ycaomv.fsf@fastmail.com> (Marius Bakke's message of "Tue, 14
	May 2019 20:15:36 +0200")
Message-ID: <8736lftj08.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: 34632-done@debbugs.gnu.org

Hello Marius,

Marius Bakke <mbakke@fastmail.com> writes:

[...]

>>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>>> think that, if GSS was being examined to the same degree, we would learn
>>> of many serious bugs. Any significant C codebase of this age will have
>>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>>
>>> [0]
>>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>>
>> Just FYI,
>>
>> I had ping'd the GSS mailing list with this message:
>> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
>> there haven't been a reply (yet).
>>
>> So it looks like it was a wise decision to make the switch! Sorry for
>> doubting, eh!
>
> Thank you very much for checking with upstream :-)
>
> I was on the fence about this switch myself, and submitted this patch
> hoping for feedback along these lines.
>
> It would be great to get Shishi and GSS into Googles OSS-Fuzz and
> similar so that we can be more confident in the implementation.

Would it be possible to add a fuzz phase to our GNU build system? If
it's not too expensive to run, it could be a security enhancer for the
Guix System! AFL (which is one of the two fuzzers used by Google's
OSS-fuzz service, and which we already have in Guix).

Food for thoughts!

> For now I've pushed these patches in 996186b..828d376.

Thank you,

Maxim