On 07/29/2013 04:25 AM, Daniel P. Berrange wrote: > On Fri, Jul 26, 2013 at 08:22:29PM -0500, Doug Goldstein wrote: >> On Fri, Jul 26, 2013 at 5:04 PM, Eric Blake <eblake@xxxxxxxxxx> wrote: >>> https://bugzilla.redhat.com/show_bug.cgi?id=951637 >>> >>> Newer gnutls uses nettle, rather than gcrypt, which is a lot nicer >>> regarding initialization. Yet we were unconditionally initializing >>> gcrypt even when gnutls wouldn't be using it, and having two crypto >>> libraries linked into libvirt.so is pointless. >>> >>> Assume that the switch to gnutls 3.0 is a reliable witness, when >>> pkg-config is present; otherwise be pessimistic and use gcrypt. >>> >>> https://www.redhat.com/mailman/listinfo/libvir-list >> >> Hate to throw a monkey wrench in the plan, but GnuTLS 3.0 isn't the >> nettle cut over. On my stable Gentoo box with GnuTLS 2.12.23, its >> using nettle as seen by ldd. >> >> It appears it was an optional cutover and I guess Gentoo made the >> plunge. Another idea, that you might hate would be to use pkg-config >> directly and pass --static so we can get the private libraries. I'm >> not running Fedora 19 yet so the best I can do is give you Fedora 18 >> as a comp, but that works out great since its using 2.12.23 as well. > > Hmm, so Eric's patch is mostly just an optimization, to avoid uneccessarily > linking to libgcrypt. If we link to libgcrypt when gnutls is using nettle > nothing bad really happens. We just unecessarily initialize gcrypt. So, should I try for a v3 that treats: < 2.12 - gcrypt only >= 3.0 - nettle only <= 2.12 && < 3.0 - assume gcrypt unless 'pkg-config --static' proves the use of nettle instead of gcrypt or do we just stick with v2? Also, is this still worth getting in before 1.1.1, or since (as Dan pointed out) this is just an optimization and not a correctness issue, should we wait until after the release so we aren't rushing things? > > Conversely, if we do not link to libgcrypt, when gnutls is using libgcrypt, > then we are missing important initialization code, which *is* bad. > > IOW, doing the check against version 3.0.0 or later does not cause any > problems, since we know that libgcrypt can never be used with that version. > > If we do a check against 2.12 though, we could miss out linkage against > libgcrypt depending on how the distro built their packages. > > > So unless we can come up with an easy & reliable way to detect use of > nettle with 2.x versions, I'm inclined to just stick our heads in the > sand and pretend that no 2.x version ever used nettle. Worst case we > link to and initialize gcrypt, which is not a bad problem. Versions less than 2.12 (such as RHEL 6) don't matter - and so far, 'pkg-config --static' appears to be reliable on all 2.12 builds whether or not they made the switch. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list