New gpgme 0.3 release

Pawel Salek pawsa-gpa at theochem.kth.se
Mon Nov 24 21:58:29 CET 2003


On 2003.11.23 22:41, Werner Koch wrote:
> On Sat, 22 Nov 2003 23:12:17 +0000, Pawel Salek said:
> 
> > What about including libgpgme in libgpg-error or merging these
> > packages in some other way? libgpgme.tar.gz is less than 300kb  
> which is very
> 
> That would make libgpg-error pretty pointless.  It sole reason for
> existance is to allow sharing error codes between different
> applications and still allow to deduce the orgin of the error (a  
> major problem debugging the current Aegypten stuff), having conistent  
> err

I am not sure whether I am aware of all the relevant details but if the  
task is to be able return (CODE_SHARED_BETWEEN_APPLICATIONS, 
APPLICATION_CODE) tuple, there are much more convienient ways to do  
that than adding new libraries. The same holds for consistent  
translations.

> > would be to have a single library (call it libgpg) that would come
> with
> > a basic CLI frontend (program called gpg). If one wants to link
> > other
> 
> A single library is a major security problem for larger applications  
> -
> they get too complex and parts can't be tested independently. This is
> also true for large applications, build from several libraries.  On
> almost every OS we have a security boundary we understand pretty
> welll, and that is the process.  Thus my dividing a task into  
> separate and independent processes we will make the entire system  
> more reliable: All of the smaller applications (modules) can be  
> tested independently, a bug in one module has a lesser probability to
> propagate to other modules, exploiting bugs will get harder, modules
> can be indendently audited, the IPC traffic can be audited, modules
> are replaceable for specific tasks.

That's a very good idea but how does it conflict with the scheme I  
described above? Spawning a process to securely process sensitive data  
is an implementation issue of libgpg. I assume you want to avoid  
mistakes that plagued ssh or openssl but I wonder whether this approach  
just not sweeps the problem under the carpet and by decreasing  
probability of an implementation bug increases a chance that there is a  
configuration mistake or users will plainly refuse to use GPG because  
of too many configuration problems. Security problems can be avoided by  
controlling complexity and clean interface design. I can imagine that  
the interfaces become cleaner but what about complexity?

> In reality we can't achive eberything but we try to keep the
> depndencies as small as possibleand don't link applications to
> libraries nt actually needed.  For example: The gpg-agent does only
> link against Libgcrypt (low-level crypto) and libassuan (IPC) but not
> to a GnuPG library or Libksba (for X.509) or even smartcard code.
> Thus a bug in the libksba won't affect the private key management in
> gpg-agent.

I am not sure we have the same understanding of a linking process. Even  
if all these three libraries were in merged in a single file, only used  
objects would be linked in the gpg-agent binary and obviously unused  
modules would not affect it.


> > libgpg-error is needed and compile and install gpgme as well. spec
> > files contained in gpgme and libgpg-error do not work out of the  
> box
> on
> > RH9.0 - and Fedora as well (I think the problems are rpm-4 related;
> 
> 
> Please keep in mind that this is work in progess (remember 0.3, 0.4)

Accepted!

> and that we won't do any specific packaging - that's RedHat's or
> Debian's due.

My opinion is that packaging is for the user. I am now not complaining  
on behalf of redhat: I am sure if they had a problem with the spec file  
provided with gpgme they would just fixed it and moved on. I am  
complaining on behalf of an ordinary user who would like to install  
software with as little hassle as possible. I would be much happier if  
the spec files provided by Axel were merged in and distributed with the  
next release.

Pawel



More information about the Gpa-dev mailing list