* [bug#34632] GSS development status [not found] <87o968i9gh.fsf@gmail.com> @ 2022-08-06 14:02 ` help-gss--- via 2022-08-10 0:48 ` Maxim Cournoyer 0 siblings, 1 reply; 2+ messages in thread From: help-gss--- via @ 2022-08-06 14:02 UTC (permalink / raw) To: Maxim Cournoyer; +Cc: 34632, help-gss [-- Attachment #1: Type: text/plain, Size: 1981 bytes --] Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > Hello, > > I'd like to inquire about the development status of GSS? Has it left the > beta status? Are bugs still being fixed? Is there any known or presumed > security issues when using GSS rather than its more mainstream > implementation in MIT Kerberos? > > I'm asking because the GNU Guix project is considering a switch from GNU > GSS to MIT krb5 for security reasons [0], given that no new releases have > been made since 2014. > > Thank you, > > Maxim Cournoyer > > [0] http://issues.guix.info/issue/34632 Hi Maxim, Sorry for the slow response, which may in part be an answer to your question. However I have just released GNU GSS version 1.0.4 to refresh the project, and have setup CI/CD checking of it to pave the road for future improvements. To my knowledge there are only two major missing features: 1) Missing gss_wrap() AES functionality. This prevents SASL GSS-API to complete on modern machines. Shishi supports AES and GSSLib supports it for GSS_Init_sec_context etc but not GSS_wrap. 2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and Heimdal. I hope to complete 1) in the future. For 2), fixing it would be a GNU Shishi feature that should be simple to resolve -- it ships with tools ccache2shishi and keytab2shishi to convert the files, but that should be done automatically internally by the library instead. Indeed getting these enrolled in the OSS Fuzz project would be a great contribution. My primary goal is to do a new release of GNU Shishi and improve the CI/CD integration checks to have good confidence in future changes. Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix, I believe it would be much nicer if you would use the 'Libgssglue' package instead! Then the user can change GSS-API library at run-time. Read about this work here: https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/ /Simon [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 255 bytes --] ^ permalink raw reply [flat|nested] 2+ messages in thread
* [bug#34632] GSS development status 2022-08-06 14:02 ` [bug#34632] GSS development status help-gss--- via @ 2022-08-10 0:48 ` Maxim Cournoyer 0 siblings, 0 replies; 2+ messages in thread From: Maxim Cournoyer @ 2022-08-10 0:48 UTC (permalink / raw) To: Simon Josefsson; +Cc: 34632, help-gss Hi Simon, Simon Josefsson <simon@josefsson.org> writes: > Maxim Cournoyer <maxim.cournoyer@gmail.com> writes: > >> Hello, >> >> I'd like to inquire about the development status of GSS? Has it left the >> beta status? Are bugs still being fixed? Is there any known or presumed >> security issues when using GSS rather than its more mainstream >> implementation in MIT Kerberos? >> >> I'm asking because the GNU Guix project is considering a switch from GNU >> GSS to MIT krb5 for security reasons [0], given that no new releases have >> been made since 2014. >> >> Thank you, >> >> Maxim Cournoyer >> >> [0] http://issues.guix.info/issue/34632 > > Hi Maxim, > > Sorry for the slow response, which may in part be an answer to your > question. However I have just released GNU GSS version 1.0.4 to refresh > the project, and have setup CI/CD checking of it to pave the road for > future improvements. To my knowledge there are only two major missing > features: > > 1) Missing gss_wrap() AES functionality. This prevents SASL GSS-API > to complete on modern machines. Shishi supports AES and GSSLib > supports it for GSS_Init_sec_context etc but not GSS_wrap. > > 2) Shishi doesn't use the same ccache/keytab files as MIT Kerberos and > Heimdal. > > I hope to complete 1) in the future. For 2), fixing it would be a GNU > Shishi feature that should be simple to resolve -- it ships with tools > ccache2shishi and keytab2shishi to convert the files, but that should be > done automatically internally by the library instead. > > Indeed getting these enrolled in the OSS Fuzz project would be a great > contribution. My primary goal is to do a new release of GNU Shishi and > improve the CI/CD integration checks to have good confidence in future > changes. > > Regarding what 'gsasl' and 'curl' should be linked against in GNU Guix, > I believe it would be much nicer if you would use the 'Libgssglue' > package instead! Then the user can change GSS-API library at run-time. > Read about this work here: > > https://blog.josefsson.org/2022/07/14/towards-pluggable-gss-api-modules/ Thank you for this update! I'm happy to read you are picking up maintenance of GSS. The libgssglue is interesting... I'll have to read about it to know how it's intended to be used. Thanks, and long live GNU GSS! Maxim ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-08-10 0:49 UTC | newest] Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <87o968i9gh.fsf@gmail.com> 2022-08-06 14:02 ` [bug#34632] GSS development status help-gss--- via 2022-08-10 0:48 ` Maxim Cournoyer
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.