From owner-freebsd-security@FreeBSD.ORG Tue Sep 20 23:05:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 22C441065670 for ; Tue, 20 Sep 2011 23:05:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 9717E8FC0A for ; Tue, 20 Sep 2011 23:05:22 +0000 (UTC) Received: from alf.home (alf.kiev.zoral.com.ua [10.1.1.177]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id p8KMpAbR069068 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Sep 2011 01:51:11 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from alf.home (kostik@localhost [127.0.0.1]) by alf.home (8.14.5/8.14.5) with ESMTP id p8KMp9FF011372; Wed, 21 Sep 2011 01:51:09 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by alf.home (8.14.5/8.14.5/Submit) id p8KMp9CV011371; Wed, 21 Sep 2011 01:51:09 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: alf.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 21 Sep 2011 01:51:09 +0300 From: Kostik Belousov To: Lev Serebryakov Message-ID: <20110920225109.GF1511@deviant.kiev.zoral.com.ua> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KvB7u8NuoXBZIbZd" Content-Disposition: inline In-Reply-To: <849327678.20110921024347@serebryakov.spb.ru> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-3.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: Dag-Erling Sm??rgrav , Xin LI , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2011 23:05:23 -0000 --KvB7u8NuoXBZIbZd Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 21, 2011 at 02:43:47AM +0400, Lev Serebryakov wrote: > Hello, Xin. > You wrote 21 =D3=C5=CE=D4=D1=C2=D2=D1 2011 =C7., 2:34:09: >=20 > > That's true but is there any very compelling reason to do that (not > > say no if someone really want to invest time on this and maintain it) > > instead of just using an actively maintained codebase? The OpenLDAP > > license is pretty similar to a BSD license: > My point is not a license. I don't know, what is simpler: > (a) strip-down and rename API for OpenLDAP and later import new releases, > with new strip-downs and renames (IMHO, it is harder, than import and > support almost-intact code, like sendmail or bind), > or > (b) maintain local code, most of which is auto-generated from standard > by very mature and stable tool, as Lev's asn1c is. I know Lev > personally, and he says, that this tool is used by many Telco > operators and other Big Companies and he is not aware about any > outstanding bugs (from year 2007!) even when very complex (much more > complex than LDAPv3) ASN.1 rules are processed. Sometimes he is > contacted for support, but always it is not bugs in compiler, but some > other problems. >=20 > Maybe, import and maintaining of hacked OpenLDAP is simpler in > long-standing perspective. Maybe not. I only want to point, that if we > want our own LDAP client library, we don't need to write tons of > non-obvious, error-prone and security-sensitive code by hands. >=20 Yes, the question of maintanence of the OpenLDAP code in the base is not trivial by any means. I remember that openldap once broke the ABI on its stable-like branch. Having API renamed during the import for the actively-developed third-party component is probably a stopper. I am aware of the rename done for ssh import in ssh_namespace.h, but I do not think such approach scale. Would the import of openldap and nss + pam ldap modules in src/ give any benefits over having openldap and ldap nss + pam modules on the dvd1 ? --KvB7u8NuoXBZIbZd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk55GN0ACgkQC3+MBN1Mb4gvNQCeIakbf5IsRiJxRgxhziQ7q/er ZXIAnjY2BMwjyprhJ9Yak9Z9OGeCznei =iyCy -----END PGP SIGNATURE----- --KvB7u8NuoXBZIbZd--