Bug 348161 - Port rsync to use NSS library for cryptography [NEEDINFO]
Port rsync to use NSS library for cryptography
Status: NEW
Product: Fedora
Classification: Fedora
Component: rsync (Show other bugs)
rawhide
All Linux
medium Severity low
: ---
: ---
Assigned To: Luboš Uhliarik
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks: CryptoConsolidation
  Show dependency treegraph
 
Reported: 2007-10-23 06:22 EDT by Peter Vrabec
Modified: 2015-04-09 06:21 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
abartlet: needinfo? (pvrabec)


Attachments (Terms of Use)

  None (edit)
Description Peter Vrabec 2007-10-23 06:22:49 EDT
rsync should be ported to use NSS library for cryptography.
See the tracking bug for details and links on how it could be done.
Comment 1 Andrew Bartlett 2008-08-29 04:05:40 EDT
Given rsync uses (only) MD4, and NSS considers this deprecated, how do you proposed to do this?  (Without breaking the protocol, or crippling it's performance).
Comment 2 Matt McCutchen 2009-11-21 01:13:08 EST
Note that protocols 30 and newer use MD5.

Upstream might be reluctant to introduce an NSS dependency just for two hash algorithms that are not used in a particularly security-sensitive context.  IIUC, all that an attacker who broke the crypto could do is create a file that rsync would transfer incorrectly.
Comment 3 Simo Sorce 2009-11-21 10:33:07 EST
Matt,
there is also the problem of preventing a mirror from syncing the right file therefore leaving in place a harmful one,
If you think of distribution packages this is worrisome.
It's true that it is not that easy to exploit, but that's not the point.

It would be nice if we could have modular signing so that the algorithm to be used could be negotiated. Then we could add a whole lot of algorithms though NSS and keep adding new ones when they come out wihtout having to change rsync itself. As long as 2 machines have at least one common allowed algorithm they will be able to transfer files no problem .

How much you think upstream would be willing to accept a patch that allows you to compile (optionally) rsync with NSS support and how much do you think adding a negotiation for signing algorithms would be acceptable ?
Comment 4 Matt McCutchen 2009-11-23 21:57:10 EST
I should stop trying to speak for upstream.  I don't want to be stuck in the middle of this debate.
Comment 5 Fedora Admin XMLRPC Client 2010-10-05 07:59:51 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Fedora Admin XMLRPC Client 2012-05-07 05:31:44 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Fedora Admin XMLRPC Client 2014-09-30 08:14:00 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Fedora Admin XMLRPC Client 2015-04-09 06:21:57 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Note You need to log in before you can comment on or make changes to this bug.