Bug#503833: Unparseable PKCS cert

Simon Josefsson simon at josefsson.org
Mon Nov 10 08:55:02 CET 2008


"Nikos Mavrogiannopoulos" <nmav at gnutls.org> writes:

> On Fri, Nov 7, 2008 at 10:16 AM, Simon Josefsson <simon at josefsson.org> wrote:
>
>> I just realized: doesn't Nikos' patch actually do two separate things?
>>
>> 1) Add the BER stuff needed to support the PKCS#12 blob
>>
>> 2) Optimize tree generation by using the small_value field.
>>
>> It is the 2) that causes the ABI break, but 1) that is needed to solve
>> to the regression.
>>
>> Thinking about this, and speaking generally, I don't think optimizations
>> are important enough to warrant an ABI break without good justification.
>> Nikos, did you do any benchmarking?  How much is slowed down because of
>> this?
>
> I don't think this is a question that we would like to set to
> ourselves. It leads to another questions on which optimization would
> be good enough or which addition is good enough to justify the break.
>
> The real question would be whether we want the internal structures
> published on the public API. I don't think we want this. It leads to
> us being handicap (like we are now) to apply any optimization/addition
> to the internal works of the library. Thus for me it is a good thing
> to move them away as soon as we can to allow further development on
> libtasn1.
>
> The other question is whether someone would like to split this patch
> and apply the fix for the another compatible stable release to be
> made, or just for debian version to apply it. I am not interested in
> doing it, but I wouldn't object either. It is a good thing to do.
>
>> I'm beginning to feel that we should remove the small_value part of this
>> patch, to retain ABI compatibility.
>
> No I am strongly against such a move. We would have to answer again
> this question on the next serious change. By insisting on being
> backwards compatible (without a serious reason) we will prevent any
> further development on this library.

I agree, my proposal was to just remove the patch temporarily, but I
wasn't clear on that.  Thus I propose this plan which as far as I can
tell seems OK with everyone:

Release v1.6 now to fix the PKCS#12/BER problem but does not contain the
optimized code, and is thus fully API and ABI backwards compatible.

Apply the small_values patch on master, and prepare a v2.0 release.
I'll wait 2-3 weeks to see if there are major problems with v1.6 (quite
a lot of things have changed compared to v1.5) and then release it.

/Simon





More information about the Gnutls-devel mailing list