[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#34632: [PATCH 0/2] Change from GSS to MIT-KRB5.
|
From: |
Marius Bakke |
|
Subject: |
bug#34632: [PATCH 0/2] Change from GSS to MIT-KRB5. |
|
Date: |
Tue, 14 May 2019 20:15:36 +0200 |
|
User-agent: |
Notmuch/0.28.3 (https://notmuchmail.org) Emacs/26.2 (x86_64-pc-linux-gnu) |
Hi Maxim,
Maxim Cournoyer <address@hidden> writes:
> Hello,
>
> Leo Famulari <address@hidden> writes:
>
>> On Fri, Mar 15, 2019 at 11:43:26PM -0400, Maxim Cournoyer wrote:
>>> Unmaintained on what ground? The website doesn't list fresh news,
>>> but the latest release was made in 2014 [1], and the maintainer has made
>>> changes to the Debian package last time in 2017 [2]. I wouldn't say it's
>>> unmaintained until the maintainer says so or CVEs pile up unfixed (which
>>> there aren't).
>>
>> Considering the rate of vulnerability discovery in MIT Kerberos [0] I
>> think that, if GSS was being examined to the same degree, we would learn
>> of many serious bugs. Any significant C codebase of this age will have
>> such bugs. But unfortunately GSS hasn't received as much scrutiny.
>>
>> [0]
>> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=krb5
>
> Just FYI,
>
> I had ping'd the GSS mailing list with this message:
> http://lists.gnu.org/archive/html/help-gss/2019-03/msg00001.html, but
> there haven't been a reply (yet).
>
> So it looks like it was a wise decision to make the switch! Sorry for
> doubting, eh!
Thank you very much for checking with upstream :-)
I was on the fence about this switch myself, and submitted this patch
hoping for feedback along these lines.
It would be great to get Shishi and GSS into Googles OSS-Fuzz and
similar so that we can be more confident in the implementation.
For now I've pushed these patches in 996186b..828d376.
signature.asc
Description: PGP signature