Bug#566351: libgcrypt11: should not change user id as a side effect

Werner Koch wk at gnupg.org
Wed Jan 27 11:28:27 CET 2010


On Wed, 27 Jan 2010 01:17, ansgar at 43-1.org said:

> There are enough sensible reasons for an application using gcrypt only
> indirectly (eg. applications using gnutls should not need to care which
> cryptographic library is used by it, more so for applications that only
> use a library like libcurl that uses gnutls, but can also use OpenSSL).

There is an easy solution to this:  Use your own memory handler.

Anyway, they need to care about this; read the gcrypt manual to see why
this is important.

In general all these inter-library dependencies are a mess.  They
subvert the assumptions of carefully written software.  We have seen
large trees of dependencies whre severeal vesion of the same library are
in use - that works only by coincidence and yields bugs which are very
hard to track down.  There is also a licences compliance problem with
this approach: I noticed in several cases OpenSSL used along with GPL
software due to dependencies the developer was not aware of (e.g.
OpenLDAP).



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Gcrypt-devel mailing list