From owner-freebsd-security@FreeBSD.ORG Wed Sep 21 09:58:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FCC51065678; Wed, 21 Sep 2011 09:58:19 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 87A578FC0A; Wed, 21 Sep 2011 09:58:18 +0000 (UTC) Received: from alf.home (alf.kiev.zoral.com.ua [10.1.1.177]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id p8L9uptu094373 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Sep 2011 12:56:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from alf.home (kostik@localhost [127.0.0.1]) by alf.home (8.14.5/8.14.5) with ESMTP id p8L9upaB013392; Wed, 21 Sep 2011 12:56:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by alf.home (8.14.5/8.14.5/Submit) id p8L9upA3013391; Wed, 21 Sep 2011 12:56:51 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: alf.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 21 Sep 2011 12:56:51 +0300 From: Kostik Belousov To: Dag-Erling Sm??rgrav Message-ID: <20110921095651.GJ1511@deviant.kiev.zoral.com.ua> References: <86boukbk8s.fsf@ds4.des.no> <4E738794.4050908@delphij.net> <86zki1afto.fsf@ds4.des.no> <4E78EA46.2080806@delphij.net> <86ty86zzcg.fsf@ds4.des.no> <1251419684.20110921022541@serebryakov.spb.ru> <4E7914E1.6040408@delphij.net> <849327678.20110921024347@serebryakov.spb.ru> <20110920225109.GF1511@deviant.kiev.zoral.com.ua> <86ipomz1iq.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="E2AOuUyqcJWq6+RR" Content-Disposition: inline In-Reply-To: <86ipomz1iq.fsf@ds4.des.no> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-3.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: d@delphij.net, Lev Serebryakov , Xin LI , freebsd-security@freebsd.org Subject: Re: PAM modules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2011 09:58:19 -0000 --E2AOuUyqcJWq6+RR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 21, 2011 at 11:29:49AM +0200, Dag-Erling Sm??rgrav wrote: > Kostik Belousov writes: > > Yes, the question of maintanence of the OpenLDAP code in the base > > is not trivial by any means. I remember that openldap once broke > > the ABI on its stable-like branch. >=20 > That's irrelevant. Our own renamed subset of OpenLDAP would only be > used by our own code, primarily nss_ldap and pam_ldap, and would be > updated when and only when we decided that it needed updating, not every > time a new OpenLDAP release shipped. We did this successfully with > expat (libbsdxml), and there's no reason why it wouldn't work with > OpenLDAP. >=20 > > Having API renamed during the import for the actively-developed > > third-party component is probably a stopper. I am aware of the rename > > done for ssh import in ssh_namespace.h, but I do not think such > > approach scale. >=20 > The entire point of ssh_namespace.h is to minimize the amount of changes > required. Actually, when I say minimize, I mean "reduce to zero", and > the file itself is autogenerated, except for lining up the columns, > which I do manually. I don't know why you think it doesn't scale. >=20 > I don't think we have anything to gain by writing our own LDAP library. > Firstly, new code means new bugs, and this is security-critical code. > Secondly, any LDAP client library we wrote would have to have an API > that closely paralells OpenLDAP's; otherwise, we would also have to > rewrite nss_ldap and pam_ldap. I do not think that we would benefit from writing our own LDAP library either. But I also doubt that importing ldap support in base would offer any advantages in sum. --E2AOuUyqcJWq6+RR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk55tOIACgkQC3+MBN1Mb4gohwCgonT5z23OlA9LYG1plkuXioP+ 40UAoKVK3oqizW0h95Ff6vkA9YHJzTLJ =WKDX -----END PGP SIGNATURE----- --E2AOuUyqcJWq6+RR--