[crux-devel] meeting notes & next IRC Meeting

Brett Goulder predatorfreak at dcaf-security.org
Wed May 31 03:38:56 UTC 2006


On Wed, 31 May 2006 00:40:01 +0200
Daniel Mueller wrote:

> On Monday 29 May 2006 22:36, Brett Goulder wrote:
> 
> > > 1. move /etc/rc.d/net to iproute2
> > >   The consensus here was that we'll move /etc/rc.d/net to iproute2 for
> > >   2.3 but keep shipping net-tools
> >
> > If iproute2 is smaller/simpler/better in some way to ifconfig, then I'm all
> > for it.
> 
> It's not smaller and it's not simpler [1]. It is the only tool that takes 
> advantage of recent kernel network features [2]. 
>
> > > 2. use PAM
> > >   This has to be investigated, it's a tough balance between features and
> > >   simplicity; integrating CRUX into certain infrastructures can be
> > >   rather hard without PAM, and the transition seems painful. We need to
> > >   evaluate the impact of this before deciding
> >
> > I think we're better off without it, CRUX is, after all, a distribution
> > following the KISS way of life, so complexity like this seems wrong. I
> > would probably end up modifying half of core/opt/contrib to kill PAM from
> > my system and I think others who enjoy the simplicity of CRUX would
> > probably get annoyed by PAM. I vote that PAM stays out of CRUX.
> 
> Why would you get annoyed by PAM? If it is proper configured you won't even 
> notice the difference nor you need to touch it. Only to make that clear: PAM 
> is the de facto standard (ALL major Linux distributions ship it). New 
> directory services/infrastructures requiring authentication utilize PAM (e.g. 
> kerberos, ldap). I don't like this egoistic thinking: "I don't need it -> 
> leave it out!". 
> It's a pain in the ass to configure PAM if it is not pre-installed. People 
> depending on PAM have to modify numerous ports only to get it running ('cause 
> it doesn't work out-of-the-box). Later then, they need to keep an eye of 
> every particular port they have modified (port updates, security flaws etc.).
>

It's a complex piece of code prone to problems and tends to introduce so much excess
that I do NOT use, I figure that most people who just need a simple log in system as
I do would also get annoyed. Most applications can optionally disable PAM support with
something as simple as a ./configure switch, others can't, but for the most part PAM
support is entirely optional in 90% of applications on UNIX-Like/Linux.

> > [..] I would probably end up modifying half of core/opt/contrib to kill PAM
> > from my system [..]
> 
> Just don't touch it. getspent(3) works with and without PAM - you're not 
> forced to access your system's /etc/shadow file through pam(_unix).
>

I'm a minimalist, I try to keep things as simple as possible, and I wouldn't be
able to deal with having excess such as PAM on my system, as it contradicts my
commitment to minimalist (one of the major reasons I choose CRUX and stuck with
it was that it was minimalist out of the box).

> > I think we're better off without it, CRUX is, after all, a distribution
> > following the KISS way of life, so complexity like this seems wrong.
> 
> CRUX users need to configure their kernels themself, configure their system 
> without GUI editors, have to compile applications themself and you're telling 
> me that PAM is too 'complex'? Or did you mean the CRUX user base is too lazy 
> to read documentation[3]? Let me quote some words I found on CRUX's main 
> page "[..] targeted at experienced Linux users", "The secondary focus is 
> utilization of new Linux features and recent tools and libraries".
> 

Complexity of implementation and design, PAM is both implementation complex
AND design complex, it rolls over the concept of KISS like a steamroller.
I never said a thing about configuration of the kernel or using GUI editors,
I stated that I think the complexity introduced by PAM is wrong.

> bye, danm
> 
> PS: I kindly ask you to reconfigure your mail client to NOT include the email 
> addresses then answering. In Sylpheed go to
> 
> Configuration -> Common Preferences -> Tab: Compose -> Tab: Format
> 
> Please replace the %f symbol to %N in the "Reply format" text box and remove 
> From:, To: and CC: completely in the "Forward format" text box. Thanks.
>

Done.

> [1] http://crux.danm.de/files/x86/iproute2/net.rc
> [2] http://linux-net.osdl.org/index.php/Iproute2
> [3] http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/
> -- 
> Daniel Mueller
> Berlin, Germany         OpenPGP: 1024D/E4F4383A
> _______________________________________________
> crux-devel mailing list
> crux-devel at lists.crux.nu
> http://lists.crux.nu/mailman/listinfo/crux-devel


-- 
~predatorfreak
GnuPG Public key: http://pred.dcaf-security.org/dcafsec-pub-gpgkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.crux.nu/pipermail/crux-devel/attachments/20060530/4016de4a/attachment.asc>


More information about the crux-devel mailing list