[Bug 265733] New: pam packaging pulls in unnecessary requirements
https://bugzilla.novell.com/show_bug.cgi?id=265733 Summary: pam packaging pulls in unnecessary requirements Product: openSUSE 10.3 Version: Alpha 3 Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: mc@novell.com ReportedBy: rguenther@novell.com QAContact: qa@suse.de There are several improvements that can be made for shrinking the installed size of pam. First pam_cracklib.so pulls in cracklib and its dictionary which is bad, this module should be made optional in the default config and not be packaged in the main pam package. Second, the excessive documentation belongs in a pam-doc package, packaging pdf and html looks redundant. A pam-base package with just authentication support would be really nice. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |kukuk@novell.com ------- Comment #1 from mc@novell.com 2007-04-19 04:17 MST ------- Splitting out the documentation is a good idea. But I am not sure if the requirement to cracklib is a "unnecessary dependency". We use pam_pwcheck by default and I think it is a good investment to add these 10 MB dictionary. Let's ask Thorsten what he thinks about this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 ------- Comment #2 from rguenther@novell.com 2007-04-19 05:20 MST ------- Cracklib is certainly not a "unneccesary dependency" in general, but it should be optional. Consider a thin client where you only logon on remote machines from - there's no need to have support for (strong) password changing mechanisms on the thin client itself. This is why I was asking of the possibility of a pam-base package just providing pam_unix authentication. Of course substituting a different /bin/login may also get rid of pam (no idea what else has pam dependencies though, so the libpam*s should be in that base package). [as a side-note, the /lib/libpam* should be in a separate lib package] I suppose moving pam_cracklib to the pam-modules package would be possible, marking the cracklib module optional in the default config. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 kukuk@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kukuk@novell.com Status|NEEDINFO |NEW Info Provider|kukuk@novell.com | ------- Comment #3 from kukuk@novell.com 2007-04-19 06:35 MST ------- Moving /lib/libpam* out of pam package doesn't make any sense, it is like moving libgcc.a, collect2 and crtbegin.o/crtend.o in different packages out of gcc41. What you propose is "Augenwischerei" and does not solve anything of what you wish to archive. The requirement to cracklib is not optional, to get our standard configuration working you need pam, pam-modules and cracklib. And from all the requests for help/support I can only say it is a bad idea to make necessary things optional, especially if they are used in the default configuration. People will deselect the optional stuff/not install it, but they will never adjust the configuration and are for right angry that they will end with a non-working system they can even not login. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 ------- Comment #4 from kukuk@novell.com 2007-04-19 06:38 MST ------- (In reply to comment #2)
Cracklib is certainly not a "unneccesary dependency" in general, but it should be optional. Consider a thin client where you only logon on remote machines from - there's no need to have support for (strong) password changing mechanisms on the thin client itself.
This is wrong, the way how authentication/password aging/password changing works you need it on the thin client itself. Independent of if you use local, NIS or LDAP accounts. All protocols have the same design mistake. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Comment #5 from mc@novell.com 2007-04-19 07:35 MST ------- I submitted a pam package which seperate the documentation into pam-doc. For the other part I will do some research if it would be possible to provide two dictionaries (a small dict and a long dict) for cracklib. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |aj@novell.com ------- Comment #6 from mc@novell.com 2007-04-20 04:17 MST ------- I did some research on providing two dictionaries for cracklib. A small one an a full one. The idea: The cracklib tar includes a small dict. I want to build this and put it into a package named "cracklib-dict-small" which provides "cracklib-dict". cracklib will have a requires "cracklib-dict". I will build another RPM with the full dictionary which will be named "cracklib-dict-full" and provides also "cracklib-dict". cracklib-dict-small and cracklib-dict-full conflicts each other. It should not be possible to install both. The size of the resulting RPMs will be this: tait:/space/build/cracklib-split/RPMs # ls -lh total 3.6M -rw-r--r-- 1 mc tools 46K Apr 19 17:40 cracklib-2.8.10-2.i586.rpm -rw-r--r-- 1 mc tools 18K Apr 19 17:40 cracklib-devel-2.8.10-2.i586.rpm -rw-r--r-- 1 mc tools 3.5M Apr 19 17:41 cracklib-dict-full-2.8.10-1.i586.rpm -rw-r--r-- 1 mc tools 5.2K Apr 19 17:40 cracklib-dict-small-2.8.10-2.i586.rpm In our patterns we can preselect which dictionary will be installed. For openSUSE default we can select cracklib-dict-full. For a thin-client pattern, cracklib-dict-small can be selected. For the update case I will set a split-provides to cracklib-dict-full. AJ: what do you think about this solution? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 aj@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|aj@novell.com |kukuk@novell.com ------- Comment #7 from aj@novell.com 2007-04-20 05:12 MST ------- Looks fine to me. Thorsten, any comments from your side? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|kukuk@novell.com | Resolution| |FIXED ------- Comment #8 from mc@novell.com 2007-04-23 04:35 MST ------- I tested my testbuilds and everything seems to work fine. So I did the split and submitted the packages to STABLE. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=265733 Richard Guenther <rguenther@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Found By|Other |Development -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com