Bug#566351: libgcrypt11: should not change user id as a side effect
Werner Koch
wk at gnupg.org
Wed Jan 27 11:28:27 CET 2010
On Wed, 27 Jan 2010 01:17, ansgar at 43-1.org said:
> There are enough sensible reasons for an application using gcrypt only
> indirectly (eg. applications using gnutls should not need to care which
> cryptographic library is used by it, more so for applications that only
> use a library like libcurl that uses gnutls, but can also use OpenSSL).
There is an easy solution to this: Use your own memory handler.
Anyway, they need to care about this; read the gcrypt manual to see why
this is important.
In general all these inter-library dependencies are a mess. They
subvert the assumptions of carefully written software. We have seen
large trees of dependencies whre severeal vesion of the same library are
in use - that works only by coincidence and yields bugs which are very
hard to track down. There is also a licences compliance problem with
this approach: I noticed in several cases OpenSSL used along with GPL
software due to dependencies the developer was not aware of (e.g.
OpenLDAP).
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gcrypt-devel
mailing list