On 07/29/2013 04:25 AM, Daniel P. Berrange wrote:
On Fri, Jul 26, 2013 at 08:22:29PM -0500, Doug Goldstein wrote:
> On Fri, Jul 26, 2013 at 5:04 PM, Eric Blake <eblake(a)redhat.com> wrote:
>>
https://bugzilla.redhat.com/show_bug.cgi?id=951637
>>
>> Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer
>> regarding initialization. Yet we were unconditionally initializing
>> gcrypt even when gnutls wouldn't be using it, and having two crypto
>> libraries linked into libvirt.so is pointless.
>>
>> Assume that the switch to gnutls 3.0 is a reliable witness, when
>> pkg-config is present; otherwise be pessimistic and use gcrypt.
>>
>>
https://www.redhat.com/mailman/listinfo/libvir-list
>
> Hate to throw a monkey wrench in the plan, but GnuTLS 3.0 isn't the
> nettle cut over. On my stable Gentoo box with GnuTLS 2.12.23, its
> using nettle as seen by ldd.
>
> It appears it was an optional cutover and I guess Gentoo made the
> plunge. Another idea, that you might hate would be to use pkg-config
> directly and pass --static so we can get the private libraries. I'm
> not running Fedora 19 yet so the best I can do is give you Fedora 18
> as a comp, but that works out great since its using 2.12.23 as well.
Hmm, so Eric's patch is mostly just an optimization, to avoid uneccessarily
linking to libgcrypt. If we link to libgcrypt when gnutls is using nettle
nothing bad really happens. We just unecessarily initialize gcrypt.
So, should I try for a v3 that treats:
< 2.12 - gcrypt only
= 3.0 - nettle only
<= 2.12 && < 3.0 - assume
gcrypt unless 'pkg-config --static' proves the
use of nettle instead of gcrypt
or do we just stick with v2? Also, is this still worth getting in
before 1.1.1, or since (as Dan pointed out) this is just an optimization
and not a correctness issue, should we wait until after the release so
we aren't rushing things?
Conversely, if we do not link to libgcrypt, when gnutls is using libgcrypt,
then we are missing important initialization code, which *is* bad.
IOW, doing the check against version 3.0.0 or later does not cause any
problems, since we know that libgcrypt can never be used with that version.
If we do a check against 2.12 though, we could miss out linkage against
libgcrypt depending on how the distro built their packages.
So unless we can come up with an easy & reliable way to detect use of
nettle with 2.x versions, I'm inclined to just stick our heads in the
sand and pretend that no 2.x version ever used nettle. Worst case we
link to and initialize gcrypt, which is not a bad problem.
Versions less than 2.12 (such as RHEL 6) don't matter - and so far,
'pkg-config --static' appears to be reliable on all 2.12 builds whether
or not they made the switch.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library
http://libvirt.org