From owner-freebsd-security@FreeBSD.ORG Sun Sep 25 03:14:01 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6AF2E106566B for ; Sun, 25 Sep 2011 03:14:01 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU [18.7.68.37]) by mx1.freebsd.org (Postfix) with ESMTP id 1B4AB8FC0A for ; Sun, 25 Sep 2011 03:14:00 +0000 (UTC) X-AuditID: 12074425-b7bf1ae000000a2a-79-4e7e9c3f0c44 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 49.1B.02602.F3C9E7E4; Sat, 24 Sep 2011 23:13:03 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id p8P3E0WL032382; Sat, 24 Sep 2011 23:14:00 -0400 Received: from multics.mit.edu (MULTICS.MIT.EDU [18.187.1.73]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id p8P3Dwmd001265 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 24 Sep 2011 23:13:59 -0400 (EDT) Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id p8P3Dvto012302; Sat, 24 Sep 2011 23:13:57 -0400 (EDT) Date: Sat, 24 Sep 2011 23:13:57 -0400 (EDT) From: Benjamin Kaduk To: Ryan Steinmetz In-Reply-To: <20110925001258.GA28508@fast.rit.edu> Message-ID: References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> <20110917135341.GA23643@fast.rit.edu> <20110925001258.GA28508@fast.rit.edu> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixG6noms/p87PoPu6uUXPpidsFpOOv2F3 YPKY8Wk+i8fhx32sAUxRXDYpqTmZZalF+nYJXBkHD55jL1gtVrHq2zqmBsYfgl2MnBwSAiYS q4+/ZoWwxSQu3FvPBmILCexjlJiwOaaLkQvI3sAoce/SDWYI5wCTxJbbi1ggnAZGiX1NU8Ha WQS0Je4tPMECYrMJqEjMfLMRaBQHh4iAksT0zSYgYWYBBYn3j08ygYSFBRQlOi4FgYQ5BYwk Xq3eyARi8wrYS+z41cQCccRWRonGxxIgtqiAjsTq/VNYIGoEJU7OfMICMdJS4tyf62wTGAVn IUnNQpJawMi0ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdCLzezRC81pXQTIzhMXVR3ME44pHSI UYCDUYmH91NCnZ8Qa2JZcWXuIUZJDiYlUV7F2UAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrzV jUA53pTEyqrUonyYlDQHi5I47+sdDn5CAumJJanZqakFqUUwWRkODiUJ3gUgQwWLUtNTK9Iy c0oQ0kwcnCDDeYCG94PU8BYXJOYWZ6ZD5E8xKkqJQyQEQBIZpXlwvbA08opRHOgVYd7ZIFU8 wBQE1/0KaDAT0OCcmlqQwSWJCCmpBsYjc5MP+yk9SPucvzn8+aZPIrIP+Ld+eRv5xOGVe9Va Vqk5Syfs35aqqjFTqKHSztZGXV72IMvmFoFupgWPLHbPFl9dfNzFeluc6ZHAuucadsv/LPsg 9L9sStTLu4fmO57i/FIVx1/5fruCq/w5gaNxqzuzX00+/ezjiwsPGiOPpJVPDdzcu8hEiaU4 I9FQi7moOBEA6Vm0zv4CAAA= Cc: freebsd-security@freebsd.org Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 03:14:01 -0000 On Sat, 24 Sep 2011, Ryan Steinmetz wrote: > > I think an interesting concept would be something that gave us the > ability to (easily) tie certain ports into software from the base system. > Something that would allow the software to be more easily kept current. > Perhaps this could be done via some sort of base-integrated ports > category that require extra-special care/controls when being updated. I would very much love a way to tie certain ports into the base system, by which I mean have the base system utilities link against libraries provided by a port. (My particular example at hand would be to link ssh and friends against MIT kerberos from ports, but there are a goodly number of other examples.) Yet, in order for the benefits of ports to work, there would need to be a way to hook into the base system to get these utilities updated with port updates, and probably a way to disable the base system version of the libraries but still have utilities link against them (from ports). I do not think this is possible without a great deal of build infrastructure work; certainly just a special category of port is insufficient, as it sould still have the update problem. Though perhaps my vision is not exactly what you are aiming for ... > > Using the above idea, perhaps we could have ISOs or the like available > that include these 'base-integrated' ports pre-installed, thus giving > users the ability to (effectively) have an out-of-the-box solution that > included LDAP support, etc., while still having these 'base-integrated' > ports loosely coupled with the base OS. The concept could keep the base > system lean, but provide the flexibility that users desire. People seem to have concerns about the ability of (some) mirrors to cope with huge piles of data, particularly in the context of regularly updated package sets from ports. Those concerns would seem to apply to this as well, as it would apply a scaling factor to the number of isos involved. Now, having an extra option in the installer "Do you want to install the LDAP package? (y/n)" is another matter, and potentially doable. (Though given that perl was pulled *out* of this near-base status in the fairly recent past does give one pause ...) > > Obviously there are some complexities associated with implementing the > framework and details that would need to be worked out, but this could > address: > -The desire to keep the base system lean > -The desire to provide certain features out-of-the-box > -The ability to keep these 'base-integrated' ports more current in terms > of features/functionality My main concern is with respect to the third point, in making sure that there do not creep in interdependencies that make updating the port components complicated or fragile. -Ben Kaduk