[libvirt] [PATCH 1/3] configure: Require GnuTLS
Michal Privoznik
mprivozn at redhat.com
Tue Jun 5 11:17:46 UTC 2018
On 06/05/2018 11:43 AM, Daniel P. Berrangé wrote:
> On Tue, Jun 05, 2018 at 10:45:55AM +0200, Michal Privoznik wrote:
>> We are building with GnuTLS everywhere because GnuTLS is widely
>> available. In addition after recent patches Libvirt relies on
>> GnuTLS' PRNG.
>
> This second sentance isn't true AFAIK - we still have fallback
> to /dev/urandom - GNUTLS is merely the first choice.
Okay. But after Peter's patches we do rely on GnuTLS more than ever ;-)
I'll reword and resend though.
Michal
>
> None the less I think its desirable to make GNUTLS mandatory
> since it is on all the platforms we care about and I prefer
> that we can assume a good crypto impl all the time. This mostly
> frees us from worrying about fallback impls which have higher
> risk of security problems.
Unfortunately not. Both suid and nss libs build with virhash.c which
requires virRandom*(). But this is a bogus dependency and hash tables
are not really used (at least in NSS module, did not bother to check for
suid lib). So we need a stub for virRandom*().
Michal
More information about the libvir-list
mailing list