Re: Reducing the attack surface caused by Berkeley DB...
- Date: Thu, 25 Jan 2018 16:02:01 -0800
- From: Ryan Tandy <ryan@xxxxxxxxx>
- Subject: Re: Reducing the attack surface caused by Berkeley DB...
On Thu, Jan 25, 2018 at 11:59:06PM +0100, Lionel Debroux wrote:
the vast majority of the ~170 reverse dependencies of libdb5.3 listed by
`apt-cache rdepends libdb5.3` on sid will require (much) more work to
get rid of that dependency, with impact on backwards compatibility...
Among those packages are:
The BDB-based backends are already deprecated upstream in favour of
LMDB, so when the time comes I'm happy to forcibly migrate the remaining
users on upgrade. At that point we can simply stop building the module,
possibly even in the same version where we force the migration.
There are still a few cases where LMDB may not be entirely satisfactory:
databases containing a lot of aliases, or workloads that happen to cause
a lot of fragmentation in LMDB. LMDB 1.0/OpenLDAP 2.5 will have some
improvements in these areas. (No ETA from upstream at this time.)
Hope this helps, or at least marks slapd as "minor" on your list.