Re: [Mingw-cross-env-list] gnutls update with new supporting packages p11-kit and dlfcn-win32

[Volker Grabsch]

Hello Mark,

Mark Brand schrieb:
> I just pushed an update to gnutls 2.12.8. This version wants to have
> p11-kit which wants to have dlopen() provided by dlfcn-win32.

While I appreciate the work you put into assembling and finding
the components to make this run, I have a problem with the
following part:

> p11-kit
> http://hg.savannah.gnu.org/hgweb/mingw-cross-env/rev/2c718573fadb
> Fixups were needed for the .pc file. Also had to #ifdef away some
> code not suitable for Windows.

If I understand your patch correctly, it makes some function
return nothing in case the HOME environment variable is not
set. I wonder why the compiler doesn't show a big warning about
that. Also, the patch will ensure that reinitialize_after_fork()
will never be called. Are you sure this is a safe thing to do?

In general, I think it is very dangerous to patch security-related
packages on our own. This requires special care and should be
brought up on the respective upstream project's mailing list.

In addition, the p11-kit library obviously hasn't been written
with Windows or MinGW in mind. So I wonder if it makes sense
at all to port it to MinGW.

I also wonder how the official Windows package of GnuTLS has
been built. How did they build it? Did they touch p11-kit, too?
Or did they GnuTLS without p11-kit?

Those questions need to be answered, either by intensive research
on the net, or (preferably) by discussion on the GnuTLS or p11-kit
mailing list.

I recommend to undo those 3 changesets until those questions are
answered. Otherwise I'm pretty sure we'll risk a disaster comparable
to the Debian/OpenSSL disaster 3 years ago. [1]


Greets,
Volker


[1] http://lists.debian.org/debian-security-announce/2008/msg00152.html

-- 
Volker Grabsch
---<<(())>>---