Hi Maxim, Maxim Cournoyer writes: > Hello, > > Leo Famulari writes: > >> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote: >>> Unmaintained on what ground? The website doesn't list fresh news, >>> but the latest release was made in 2014 [1], and the maintainer has made >>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's >>> unmaintained until the maintainer says so or CVEs pile up unfixed (which >>> there aren't). >> >> Considering the rate of vulnerability discovery in MIT Kerberos [0] I >> think that, if GSS was being examined to the same degree, we would learn >> of many serious bugs. Any significant C codebase of this age will have >> such bugs. But unfortunately GSS hasn't received as much scrutiny. >> >> [0] >> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5 > > Just FYI, > > I had ping'd the GSS mailing list with this message: > http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but > there haven't been a reply (yet). > > So it looks like it was a wise decision to make the switch! Sorry for > doubting, eh! Thank you very much for checking with upstream :-) I was on the fence about this switch myself, and submitted this patch hoping for feedback along these lines. It would be great to get Shishi and GSS into Googles OSS-Fuzz and similar so that we can be more confident in the implementation. For now I've pushed these patches in 996186b..828d376.