Re: libssh and libgcrypt recent vulnerability

[Aris Adamantiadis <aris@xxxxxxxxxx>]

Hi Jakub,
> thank you for starting this discussion with actual commit proposed. We 
> talked about this for some time already and this incident is raising 
> the issue more priority again. For Fedora, we do not need libgcrypt 
> backend, but I would certainly like to get hold of the ones who 
> contributed this code before we will remove it altogether (I was not 
> here at that time so I do not know the whole story).

IIRC this code was created in 2007 by Jean-Philippe Garcia Ballester who 
wanted to make libssh suitable for debian, due to the compatibility 
problems between GPL and OpenSSL's license. I do not know who worked on 
libgcrypt on purpose last (e.g. with the intend of actually use 
libgcrypt). I'd really like to have their opinion before taking a harsh 
decision.

The Debian debate seems to be recently settled (thanks Laurent 
Bigonville for the research)

http://meetbot.debian.net/debian-ftp/2020/debian-ftp.2020-03-13-20.02.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972181

> On the technical note, the changeset is missing is removal of 
> libgcrypt reference from doc/introduction.dox (and sign-off trailers).
I've been made aware of a few typos too, I'll fix this.
> The other question is whether we want to remove it now or after 0.10.0 
> release which should be at sight. I am still a bit hesitant to do it 
> from day to day without announcement and some grace-period.
I agree. let's take some time to collect feedback and let distro 
maintainers some time to prepare before pulling the plug. We can add a 
big fat warning in the cmake build process that libgcrypt will not be 
supported anymore.


Regards,

Aris