[FFE] Should use libnss instead of libcrypto++

Bug #932896 reported by Clint Byrum
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ceph (Ubuntu)
Fix Released
High
Clint Byrum
Precise
Fix Released
High
Clint Byrum

Bug Description

FFE justification:

==========

* libNSS is already included in main, and is supported by upstream as well, so is a better choice to perform the same crypto duties.

* we are still hopeful that parts of CEPH necessary for integration with kvm (librados and librbd) will be approved for main before FinalFreeze. This is the only dependency/build-dependency that is not in main.

* TINY delta (only changes to debian/control) to simply pick up libnss instead of libcryptopp

==========

libNSS has received more peer review and is already in main, so ceph should be configured to use libnss instead of crypto++

Related branches

Changed in ceph (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-12.04-beta-1
status: New → Confirmed
Martin Pitt (pitti)
Changed in ceph (Ubuntu):
milestone: ubuntu-12.04-beta-1 → ubuntu-12.04-beta-2
tags: added: rls-mgr-p-tracking
Changed in ceph (Ubuntu):
milestone: ubuntu-12.04-beta-2 → ubuntu-12.04
summary: - Should use libnss instead of libcrypto++
+ [FFE] Should use libnss instead of libcrypto++
Changed in ceph (Ubuntu Precise):
status: Confirmed → In Progress
assignee: nobody → Clint Byrum (clint-fewbar)
description: updated
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Attaching successful build log with the proposed changes.

Changed in ceph (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In the interest of time, here are some preliminary items:

Pulls in libcrypto++ from universe (LP: #932896).

Also pulls in libfcgi, google-perftools, libunwind from universe during the build.

Uses python-support (in universe), should be converted to dh_python2.

Not lintian clean:
ceph_0.41-1ubuntu1_amd64.deb:
W: ceph: init.d-script-missing-start etc/init.d/ceph 4
N: 2 tags overridden (2 errors)

gceph_0.41-1ubuntu1_amd64.deb:
W: gceph: binary-without-manpage usr/bin/gceph

librbd1_0.41-1ubuntu1_amd64.deb:
W: librbd1: binary-without-manpage usr/bin/ceph-rbdnamer

radosgw_0.41-1ubuntu1_amd64.deb:
W: radosgw: init.d-script-missing-start etc/init.d/radosgw 4

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Meh, that comment was intended for bug #932898. sorry

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

FYI the branch has been updated to also drop need for libfcgi and google perfutils

Revision history for this message
Steve Langasek (vorlon) wrote :

libnss is certainly well-vetted, but it's also important that the software calling the crypto library be trustable... is ceph in widespread use with libnss, or are we going to be guinea pigs here?

Revision history for this message
Josh Durgin (jdurgin) wrote :

NSS support was added to ceph so people running RHEL or similar distros that don't package crypto++ could use authentication. Ubuntu would not be the guinea pig here.

Revision history for this message
Sage Weil (sage-newdream) wrote :

Ceph with libnss is used by everyone on the redhat side of things.. fedora, centos, and suse, so there is significant user testing. It's what our ceph.spec.in file uses.

Revision history for this message
Steve Langasek (vorlon) wrote :

Ack for the FFe then, thanks for the input.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ceph - 0.41-1ubuntu2

---------------
ceph (0.41-1ubuntu2) precise; urgency=low

  * d/control: switch from libcryptopp to libnss as libcryptopp is not
  seeded. (LP: #932896)
  * d/control,d/rules: move from python-support to dh_python2 per MIR
    review.
  * d/patches/manpage_updates*.patch: cherry picked upstream manpage
    updates warning about lack of encryption, per MIR review.
  * d/rules,d/control: Drop radosgw since libfcgi is not in main and
    the code may not be suitable for LTS.
  * d/rules,d/control: drop tcmalloc since google perftools is not
    in main yet.
  * d/rules,d/control: drop ceph-fuse entirely per MIR review
    recommendation.
 -- Clint Byrum <email address hidden> Thu, 12 Apr 2012 11:46:50 -0700

Changed in ceph (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.