From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 09:29:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F6B21065672 for ; Wed, 21 Sep 2011 09:29:51 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id DD3CA8FC12 for ; Wed, 21 Sep 2011 09:29:50 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id BC6871FFC35; Wed, 21 Sep 2011 09:29:49 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 51FFF8452F; Wed, 21 Sep 2011 11:29:49 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Kostik Belousov References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> Date: Wed, 21 Sep 2011 11:29:49 +0200 In-Reply-To: <20110920225109.GF1511@deviant.kiev.zoral.com.ua> (Kostik Belousov's message of "Wed, 21 Sep 2011 01:51:09 +0300") Message-ID: <86ipomz1iq.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: d@delphij.net, Lev Serebryakov , Xin LI , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 09:29:51 -0000 Kostik Belousov writes: > Yes, the question of maintanence of the OpenLDAP code in the base > is not trivial by any means. I remember that openldap once broke > the ABI on its stable-like branch. That's irrelevant. Our own renamed subset of OpenLDAP would only be used by our own code, primarily nss_ldap and pam_ldap, and would be updated when and only when we decided that it needed updating, not every time a new OpenLDAP release shipped. We did this successfully with expat (libbsdxml), and there's no reason why it wouldn't work with OpenLDAP. > Having API renamed during the import for the actively-developed > third-party component is probably a stopper. I am aware of the rename > done for ssh import in ssh_namespace.h, but I do not think such > approach scale. The entire point of ssh_namespace.h is to minimize the amount of changes required. Actually, when I say minimize, I mean "reduce to zero", and the file itself is autogenerated, except for lining up the columns, which I do manually. I don't know why you think it doesn't scale. I don't think we have anything to gain by writing our own LDAP library. Firstly, new code means new bugs, and this is security-critical code. Secondly, any LDAP client library we wrote would have to have an API that closely paralells OpenLDAP's; otherwise, we would also have to rewrite nss_ldap and pam_ldap. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no