Comment 19 for bug 1103353

On 04/07/2015 01:32 PM, Oleg Strikov wrote:
> Client may crash itself
> by passing incorrect cipher suite to the API. While that's sad, it
> doesn't crash slapd itself
To the contrary, it certainly does crash slapd itself. Anyone
upgrading will at some point silently switch from a slapd that used
openssl to gnutls --- without the package warning about nor updating the
apropos config string. As a result, "apt-get update;apt-get upgrade"
results in slapd crashing with a double free as it loads the previous
conf file. Most package maintainers would refer to this as a regression
inasmuch as the typical upgrade process fails to start and without any
obvious warning. The answer may be found by spending many hours
googling for 'what the heck'. For over a year this has gone unfixed.

At least improve the upgrade script to warn the installer and prevent
slapd from starting until some flag is set noting the user has corrected
the string and is aware the developers won't fix the issue.

In the alternative, I think a much better approach is to put a versions
of all these and related packages compiled against openSSL in the
appropriate repository. It is not material to me whether this is fixed
or not as I've removed all packages using gnutls until it's more mature,
and won't revisit this again for at least four years.

In fact I'm looking for other distros like Mint that actually check
whether upgrades generate regressions and classify risk assessments that
allow only proven upgrades to succeed.

It's really quite an eye-opener to me that a distro aiming to be
deployed outside the sole-user world doesn't see this as a problem.

--

Harry G Coin
Quiet Fountain LLC
2118 Lundy Ln
Bettendorf, Iowa 52722