Re: [libvirt] [PATCH 1/3] configure: Require GnuTLS
On 06/05/2018 11:43 AM, Daniel P. Berrangé wrote:
On Tue, Jun 05, 2018 at 10:45:55AM +0200, Michal Privoznik wrote:
> We are building with GnuTLS everywhere because GnuTLS is widely
> available. In addition after recent patches Libvirt relies on
> GnuTLS' PRNG.
This second sentance isn't true AFAIK - we still have fallback
to /dev/urandom - GNUTLS is merely the first choice.
Okay. But after Peter's patches we do rely on GnuTLS more than ever ;-)
I'll reword and resend though.
Michal
None the less I think its desirable to make GNUTLS mandatory
since it is on all the platforms we care about and I prefer
that we can assume a good crypto impl all the time. This mostly
frees us from worrying about fallback impls which have higher
risk of security problems.
Unfortunately not. Both suid and nss libs build with virhash.c which
requires virRandom*(). But this is a bogus dependency and hash tables
are not really used (at least in NSS module, did not bother to check for
suid lib). So we need a stub for virRandom*().
Michal