[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libssh and libgcrypt recent vulnerability


Hi Jakub,
thank you for starting this discussion with actual commit proposed. We talked about this for some time already and this incident is raising the issue more priority again. For Fedora, we do not need libgcrypt backend, but I would certainly like to get hold of the ones who contributed this code before we will remove it altogether (I was not here at that time so I do not know the whole story).

IIRC this code was created in 2007 by Jean-Philippe Garcia Ballester who wanted to make libssh suitable for debian, due to the compatibility problems between GPL and OpenSSL's license. I do not know who worked on libgcrypt on purpose last (e.g. with the intend of actually use libgcrypt). I'd really like to have their opinion before taking a harsh decision.

The Debian debate seems to be recently settled (thanks Laurent Bigonville for the research)

http://meetbot.debian.net/debian-ftp/2020/debian-ftp.2020-03-13-20.02.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972181


On the technical note, the changeset is missing is removal of libgcrypt reference from doc/introduction.dox (and sign-off trailers).
I've been made aware of a few typos too, I'll fix this.

The other question is whether we want to remove it now or after 0.10.0 release which should be at sight. I am still a bit hesitant to do it from day to day without announcement and some grace-period.

I agree. let's take some time to collect feedback and let distro maintainers some time to prepare before pulling the plug. We can add a big fat warning in the cmake build process that libgcrypt will not be supported anymore.


Regards,

Aris


References:
Re: libssh and libgcrypt recent vulnerabilityJakub Jelen <jjelen@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org