From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 22:43:52 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25196106564A; Tue, 20 Sep 2011 22:43:51 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6C2C28FC1C; Tue, 20 Sep 2011 22:43:51 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:f803:edca:622b:8392]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 0BFA24AC2D; Wed, 21 Sep 2011 02:43:49 +0400 (MSD) Date: Wed, 21 Sep 2011 02:43:47 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <849327678.20110921024347@serebryakov.spb.ru> To: Xin LI In-Reply-To: <4E7914E1.6040408@delphij.net> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , Lev Serebryakov , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 22:43:52 -0000 Hello, Xin. You wrote 21 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2011 =D0=B3.,= 2:34:09: > That's true but is there any very compelling reason to do that (not > say no if someone really want to invest time on this and maintain it) > instead of just using an actively maintained codebase? The OpenLDAP > license is pretty similar to a BSD license: My point is not a license. I don't know, what is simpler: (a) strip-down and rename API for OpenLDAP and later import new releases, with new strip-downs and renames (IMHO, it is harder, than import and support almost-intact code, like sendmail or bind), or (b) maintain local code, most of which is auto-generated from standard by very mature and stable tool, as Lev's asn1c is. I know Lev personally, and he says, that this tool is used by many Telco operators and other Big Companies and he is not aware about any outstanding bugs (from year 2007!) even when very complex (much more complex than LDAPv3) ASN.1 rules are processed. Sometimes he is contacted for support, but always it is not bugs in compiler, but some other problems. Maybe, import and maintaining of hacked OpenLDAP is simpler in long-standing perspective. Maybe not. I only want to point, that if we want our own LDAP client library, we don't need to write tons of non-obvious, error-prone and security-sensitive code by hands. --=20 // Black Lion AKA Lev Serebryakov