Re: PAM modules -> LDAP!

看板FB_security作者時間14年前 (2011/09/25 11:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串6/6 (看更多)
On Sat, 24 Sep 2011, Ryan Steinmetz wrote: > > I think an interesting concept would be something that gave us the > ability to (easily) tie certain ports into software from the base system. > Something that would allow the software to be more easily kept current. > Perhaps this could be done via some sort of base-integrated ports > category that require extra-special care/controls when being updated. I would very much love a way to tie certain ports into the base system, by which I mean have the base system utilities link against libraries provided by a port. (My particular example at hand would be to link ssh and friends against MIT kerberos from ports, but there are a goodly number of other examples.) Yet, in order for the benefits of ports to work, there would need to be a way to hook into the base system to get these utilities updated with port updates, and probably a way to disable the base system version of the libraries but still have utilities link against them (from ports). I do not think this is possible without a great deal of build infrastructure work; certainly just a special category of port is insufficient, as it sould still have the update problem. Though perhaps my vision is not exactly what you are aiming for ... > > Using the above idea, perhaps we could have ISOs or the like available > that include these 'base-integrated' ports pre-installed, thus giving > users the ability to (effectively) have an out-of-the-box solution that > included LDAP support, etc., while still having these 'base-integrated' > ports loosely coupled with the base OS. The concept could keep the base > system lean, but provide the flexibility that users desire. People seem to have concerns about the ability of (some) mirrors to cope with huge piles of data, particularly in the context of regularly updated package sets from ports. Those concerns would seem to apply to this as well, as it would apply a scaling factor to the number of isos involved. Now, having an extra option in the installer "Do you want to install the LDAP package? (y/n)" is another matter, and potentially doable. (Though given that perl was pulled *out* of this near-base status in the fairly recent past does give one pause ...) > > Obviously there are some complexities associated with implementing the > framework and details that would need to be worked out, but this could > address: > -The desire to keep the base system lean > -The desire to provide certain features out-of-the-box > -The ability to keep these 'base-integrated' ports more current in terms > of features/functionality My main concern is with respect to the third point, in making sure that there do not creep in interdependencies that make updating the port components complicated or fragile. -Ben Kaduk _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 kaduk. 的文章
文章代碼(AID): #1EVg2pOW (FB_security)
更多 kaduk. 的文章
文章代碼(AID): #1EVg2pOW (FB_security)