From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 00:21:05 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E04D9106566C; Wed, 21 Sep 2011 00:21:04 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id C12518FC15; Wed, 21 Sep 2011 00:21:04 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 722737705; Tue, 20 Sep 2011 17:21:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1316564464; bh=/FnD/pheTFbPDxaNaOr25US0PgyWeOK+VwJSYRgyjWI=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=xtMuLjlrFihKJGdBrqIZM2b0wO8UwOagMMs7RA0aPcuh/V3EzCz9oN9oVegzaiR4R vrrLcoE1wJtoWOI2dBZgJXpZnJACnT9ZFISyE4yD5rWx96S0rXuqsah4RQfIvlYQs2 l5QTj44YOsLgKJR8MtNFA9H/qi+3AFJjb1F4i7R8= Message-ID: <4E792DEF.30209@delphij.net> Date: Tue, 20 Sep 2011 17:21:03 -0700 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Kostik Belousov References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> In-Reply-To: <20110920225109.GF1511@deviant.kiev.zoral.com.ua> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: Dag-Erling Sm??rgrav , Lev Serebryakov , d@delphij.net, freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 00:21:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 09/20/11 15:51, Kostik Belousov wrote: [...] > Yes, the question of maintanence of the OpenLDAP code in the base > is not trivial by any means. I remember that openldap once broke > the ABI on its stable-like branch. That happen a few times however these are either not essential client library (libldap and liblber) API or it's not changing parameters or removing interfaces. Moreover, like the base libbsdxml.so, it's only intended to be used by base system only so it's relatively easier to maintain ABI stability, e.g. we can probably just expose only symbols that we use, etc. > Having API renamed during the import for the actively-developed > third-party component is probably a stopper. I am aware of the > rename done for ssh import in ssh_namespace.h, but I do not think > such approach scale. That's right. We did use a similar approach but again, if it's just libldap and liblber, the change would be quite slow over years. We do need to patch files. > Would the import of openldap and nss + pam ldap modules in src/ > give any benefits over having openldap and ldap nss + pam modules > on the dvd1 ? Well, for ldap nss + pam models, people usually want them to "just work" rather than wanting new features provided by a port installed OpenLDAP. That's said, the user expects he can update any port without risking into being locked out from the system plus these modules can be upgraded or updated with existing binary update mechanisms. The proposed approach would not be a whole OpenLDAP import (selected client libraries only) nor would replace the port by the way. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJOeS3vAAoJEATO+BI/yjfB7K4H/jumiosXs6OWZ02l5ntDb06k MySle3NfvRBPIc0NL3FQUToJ2k1VzBJce53nAwXev/+YMOlbMjGcGlSuEzKSkQdE j+Iwop+Od8/3sF4rIl7kBREMYzhZEiyT+Wf6LUxqVYqepso0PEoMlc5AoUZt1ghy V1fdKrU7imhIM0IPgJJEi0LjK3z31CoujciuU8arnuBMbKNi5gZpJLRgB/L1s4jo pSdNH95fCF487OsXu6sQZW0jdutaKxOsUiL1HFlwlFMzi8vCEFaG+TkwedmSeP7p Ng4hTVTLM8JSmImVVTjF6qdQpZS8omVzt1MB4lE7gn/YwsUbLkSI+e8ejn1FP34= =DQuu -----END PGP SIGNATURE-----