[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Mingw-cross-env-list] gnutls update with new supporting packages p1
From: |
Volker Grabsch |
Subject: |
Re: [Mingw-cross-env-list] gnutls update with new supporting packages p11-kit and dlfcn-win32 |
Date: |
Sat, 20 Aug 2011 01:05:56 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hello Mark,
Mark Brand schrieb:
> I just pushed an update to gnutls 2.12.8. This version wants to have
> p11-kit which wants to have dlopen() provided by dlfcn-win32.
While I appreciate the work you put into assembling and finding
the components to make this run, I have a problem with the
following part:
> p11-kit
> http://hg.savannah.gnu.org/hgweb/mingw-cross-env/rev/2c718573fadb
> Fixups were needed for the .pc file. Also had to #ifdef away some
> code not suitable for Windows.
If I understand your patch correctly, it makes some function
return nothing in case the HOME environment variable is not
set. I wonder why the compiler doesn't show a big warning about
that. Also, the patch will ensure that reinitialize_after_fork()
will never be called. Are you sure this is a safe thing to do?
In general, I think it is very dangerous to patch security-related
packages on our own. This requires special care and should be
brought up on the respective upstream project's mailing list.
In addition, the p11-kit library obviously hasn't been written
with Windows or MinGW in mind. So I wonder if it makes sense
at all to port it to MinGW.
I also wonder how the official Windows package of GnuTLS has
been built. How did they build it? Did they touch p11-kit, too?
Or did they GnuTLS without p11-kit?
Those questions need to be answered, either by intensive research
on the net, or (preferably) by discussion on the GnuTLS or p11-kit
mailing list.
I recommend to undo those 3 changesets until those questions are
answered. Otherwise I'm pretty sure we'll risk a disaster comparable
to the Debian/OpenSSL disaster 3 years ago. [1]
Greets,
Volker
[1] http://lists.debian.org/debian-security-announce/2008/msg00152.html
--
Volker Grabsch
---<<(())>>---