Re: Reducing the attack surface caused by Berkeley DB...
- Date: Fri, 26 Jan 2018 23:41:23 +0100
- From: Lionel Debroux <lionel_debroux@xxxxxxxx>
- Subject: Re: Reducing the attack surface caused by Berkeley DB...
On 1/26/18 1:02 AM, Ryan Tandy wrote:
> On Thu, Jan 25, 2018 at 11:59:06PM +0100, Lionel Debroux wrote:
> > the vast majority of the ~170 reverse dependencies of libdb5.3
> > listed by `apt-cache rdepends libdb5.3` on sid will require (much)
> > more work to get rid of that dependency, with impact on backwards
> > compatibility...
> > Among those packages are:
> > [...] slapd
> The BDB-based backends are already deprecated upstream in favour of
> LMDB, so when the time comes I'm happy to forcibly migrate the
> remaining users on upgrade. At that point we can simply stop building
> the module, possibly even in the same version where we force the
> There are still a few cases where LMDB may not be entirely
> satisfactory: databases containing a lot of aliases, or workloads that
> happen to cause a lot of fragmentation in LMDB. LMDB 1.0/OpenLDAP 2.5
> will have some improvements in these areas. (No ETA from upstream at
> this time.)
> Hope this helps, or at least marks slapd as "minor" on your list.
Good to know :)
I don't use slapd myself, but I noticed it in the list of daemons which
directly depend on libdb5.3.