Bug#566351: libgcrypt11: should not change user id as a side effect

Werner Koch wk at gnupg.org
Wed Jan 27 11:28:27 CET 2010

On Wed, 27 Jan 2010 01:17, ansgar at 43-1.org said:

> There are enough sensible reasons for an application using gcrypt only
> indirectly (eg. applications using gnutls should not need to care which
> cryptographic library is used by it, more so for applications that only
> use a library like libcurl that uses gnutls, but can also use OpenSSL).

There is an easy solution to this:  Use your own memory handler.

Anyway, they need to care about this; read the gcrypt manual to see why
this is important.

In general all these inter-library dependencies are a mess.  They
subvert the assumptions of carefully written software.  We have seen
large trees of dependencies whre severeal vesion of the same library are
in use - that works only by coincidence and yields bugs which are very
hard to track down.  There is also a licences compliance problem with
this approach: I noticed in several cases OpenSSL used along with GPL
software due to dependencies the developer was not aware of (e.g.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list