From: "\"Paweł Hajdan, Jr.\"" <phajdan.jr@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] RFC: virtual/shadow
Date: Thu, 08 Mar 2012 14:23:19 +0100 [thread overview]
Message-ID: <4F58B2C7.3050109@gentoo.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2490 bytes --]
I'd like to add <http://code.google.com/p/hardened-shadow/> to the tree.
It is an alternative implementation of shadow utilities (passwd, su,
login, etc) based on ideas from Openwall's tcb.
Earlier I tried upstreaming the Openwall's shadow patches, and you can
see a log of those efforts at
<http://comments.gmane.org/gmane.linux.debian.alioth.pkg-shadow/881>
In the end shadow-4.1.5 has some experimental support for tcb, but
1) It's incomplete (I didn't manage to upstream all Openwall's patches).
2) It's ugly (even more "special cases" in the already #ifdef-heavy
codebase).
3) It requires sys-auth/tcb, which doesn't work with vanilla glibc (I'm
maintaining tcb in Gentoo and have special patch for that, reviewed by
upstream), and is broken with recent glibc
(<https://bugs.gentoo.org/show_bug.cgi?id=371167>).
And now we have <http://code.google.com/p/hardened-shadow/> which is a
small alternative implementation, possibly going even further (the file
system layout is a bit different than with tcb).
I'd like to add virtual/shadow-0, with the following dependencies:
DEPEND=""
RDEPEND="|| ( >=sys-apps/shadow-4.1 sys-apps/hardened-shadow )"
hardened-shadow package is not yet in the tree, I'm going to be its
maintainer (base-system or anyone else is welcome to join), and the
ebuild is going to be very simple.
And then convert profiles to the new virtual (the relevant files; below
are all occurrences of sys-apps/shadow):
$ grep 'sys-apps/shadow' -r /usr/portage/profiles/
/usr/portage/profiles/ChangeLog-2011: Added sys-apps/shadow to
packages.build as we need it on stage1.
/usr/portage/profiles/prefix/packages:-*>=sys-apps/shadow-4.1
/usr/portage/profiles/prefix/package.provided:sys-apps/shadow-0
/usr/portage/profiles/base/packages:*>=sys-apps/shadow-4.1
/usr/portage/profiles/uclibc/packages.build:sys-apps/shadow
/usr/portage/profiles/default/bsd/ChangeLog: Add -*>=sys-apps/shadow-4.1
/usr/portage/profiles/default/bsd/package.mask:sys-apps/shadow
/usr/portage/profiles/default/bsd/packages:-*>=sys-apps/shadow-4.1
/usr/portage/profiles/default/linux/packages.build:sys-apps/shadow
/usr/portage/profiles/use.local.desc:sys-apps/shadow:audit - Enable
support for sys-process/audit
/usr/portage/profiles/use.local.desc:sys-apps/shadow:tcb - Enable
support for sys-auth/tcb
And any reverse dependencies (after testing):
<http://tinderbox.dev.gentoo.org/misc/dindex/sys-apps/shadow>
What do you think?
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]
next reply other threads:[~2012-03-08 13:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-08 13:23 "Paweł Hajdan, Jr." [this message]
2012-03-12 9:16 ` [gentoo-dev] RFC: virtual/shadow "Paweł Hajdan, Jr."
2012-03-12 10:27 ` Fabian Groffen
2012-03-12 10:35 ` "Paweł Hajdan, Jr."
2012-03-12 10:38 ` Fabian Groffen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F58B2C7.3050109@gentoo.org \
--to=phajdan.jr@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox