From owner-freebsd-current@FreeBSD.ORG Fri Aug 25 22:52:14 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A4CE16A5A6 for ; Fri, 25 Aug 2006 22:52:14 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from sccmmhc92.asp.att.net (sccmmhc92.asp.att.net [204.127.203.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 289084423A for ; Fri, 25 Aug 2006 22:27:47 +0000 (GMT) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net ([12.207.12.9]) by sccmmhc92.asp.att.net (sccmmhc92) with ESMTP id <20060825222745m92002shdre>; Fri, 25 Aug 2006 22:27:45 +0000 Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.13.6/8.13.6) with ESMTP id k7PMRbBB051796; Fri, 25 Aug 2006 17:27:39 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.13.6/8.13.6/Submit) id k7PMRXsB051795; Fri, 25 Aug 2006 17:27:33 -0500 (CDT) (envelope-from brooks) Date: Fri, 25 Aug 2006 17:27:32 -0500 From: Brooks Davis To: Peter Jeremy Message-ID: <20060825222732.GA51559@lor.one-eyed-alien.net> References: <44E9582C.2010400@rsu.ru> <44ECBB7D.4090905@FreeBSD.org> <20060823205523.GB27961@lor.one-eyed-alien.net> <20060825220033.GC16768@turion.vk2pj.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <20060825220033.GC16768@turion.vk2pj.dyndns.org> User-Agent: Mutt/1.5.11 Cc: freebsd-current@freebsd.org, Michael Bushkov Subject: Re: [HEADS UP]: OpenLDAP+nss_ldap+nss_modules separated patch and more (SoC) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 22:52:14 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 26, 2006 at 08:00:33AM +1000, Peter Jeremy wrote: > On Wed, 2006-Aug-23 15:55:23 -0500, Brooks Davis wrote: > > Having authentication functions outside the base makes them > >more vulnerable to configuration problems and general library cross > >threading. >=20 > Can you explain what you mean here. Having a single OpenLDAP, > nss_ldap etc in ports would seem to have less scope for > misconfiguration than having one version in the base system and a > slightly different version in ports. >=20 > There are already a number of authentication modules in ports > that don't seem to cause serious problems. If it's in the base you always know exactly what version is there and we generally limit the number of build options available so it's fairly easy to be sure you've built a set of things that actually work. There's also no supported way to upgrade your libraries out from under a dependency piece as happens fairly regularly in ports (yes there are ways to avoid it, but we're talking about your login system here. Breaking that is really bad). > > It also means they can't work out of the box. >=20 > I disagree. X11 and perl are both ports that work out-of-the-box. > There's no reason why OpenLDAP can't be a port on CD1 - which makes > it fairly transparent to users. I think authentication and authorization is in a different class of things from X and perl, but the line is certainly blurry. > > I think the > >costs are likely fairly small (no worse than those associated with > >OpenSSL) and the benefits are substantial. >=20 > As one of the majority who don't need LDAP authentication, I don't > see any benefits to me. > > IMHO, FreeBSD should move towards a more modular system - a minimal > base with most of the functionality in optional packages (or ports). > Removing uucp, games and perl are steps in this direction. I believe > there should be a very high bar on the import of functionality that > is already available in ports. I'm fairly confident that less than 1% of user use anything close to half the programs in the base system, but we still ship all of them because they are part of a complete system. I think that LDAP auth has moved (or is moving) into the category of things that should be in that complete system and that we would benefit from tighter integration than the ports collection can give us. There are also undoubtedly things in the base that longer contribute sufficiently to that system. I think there's room for more modularity, but I'd prefer not to rip out everything you could conceivable get from ports. -- Brooks --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE73lTXY6L6fI4GtQRAqc7AKCk+yiGsGgKkSxrtWm7dzMLZ+VNVwCfQllS Ntn64gHod8HqWK0j3W08aW0= =Wlid -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga--