[crux-devel] meeting notes & next IRC Meeting

Daniel Mueller daniel at danm.de
Wed May 31 18:52:50 UTC 2006


I hope Anton and Brett will read this mail as well - I'll try to answer all 
open questions within this mail.

On Wednesday 31 May 2006 08:07, Mark Rosenstand wrote:
> Are you sayng that it's time to re-evaluate the priorities of the CRUX
> project?

Indeed.

> > Only to make that clear: PAM is the de facto standard (ALL major Linux
> > distributions ship it).
>
> And RPM is the standard package manager... ;)

You are comparing apples and oranges. There are lots of alternatives for RPM 
(dpkg, pkgutils, ..). If you want your linux box joining a corporate network 
with centralized password management (ldap, samba/ad or kerberos) -> PAM is 
your (only) choice (AND YES: I know about "NIS" which works fully PAM-less 
and is insecure as hell AND I know various commercial products I don't want 
to talk about 'cause they just suck). 

> [..] svn.driver and making it the default, people could just edit the ports
> and (non-conflicting) changes get automatically merged. This is what I
> do, and it isn't that much slower than rsync.

Hmm, I think you've missed my point here. I don't want a separated ports 
collection. We are not talking about one or two 'conflicting' ports. PAM 
is .. comprehensive (in words: all programs, libraries and tools dealing with 
passwords/authentication). However, in most cases it's just an additional 
configure switch and sometimes a (pre-configured!) service file placed 
in /etc/pam.d/. Joe User won't even notice that he's using PAM.

> > Let me quote some words I found on CRUX's main page "[..] targeted at
> > experienced Linux users", "The secondary focus is utilization of new
> > Linux features and recent tools and libraries".
>
> You accidently forgot this one: "The primary focus of this distribution
> is keep it simple"

I knowingly left it out. "KISS" Really, I start to hate these four letters. 
It's the ultimate power abbreviation to choke new ideas and concepts.

On Wednesday 31 May 2006 01:20, Anton wrote:
> > is the de facto standard (ALL major Linux distributions ship it).
> Oh. You are very very wrong. Slackware do not use PAM by default, afaik.
> It's on 11 place according to distrowatch.

Ieeeeek! Shame on me! ->  ALL - 1 major Linux distr....

> Unfortunately it's not impressive, as I don't have retinal scaner, and
> I don't want to play ``shoot 'em up'' game on login phase. ;-)
> It's not clear to me why I'm, as crux user, have to use PAM. May be I
> would love it if someone explain to me what it gives.

Besides of the fact that you will get the possibility to join a corporate 
network with centralized password management, imagine the following scenario:

You've got a brand-new laptop. Your new laptop has the disadvantage of being a 
popular object of desire for pilferers. The harddisk contains most likely 
private data (e.g. nude pics of your girlfriend). It's a good idea to encrypt 
those private files. I hear you saying "Bah, no problem, I don't need PAM for 
this". Okay; you would probably create some container files in your home 
directory and mount them if needed. Now let's imagine the thief is a smart 
one and he's looking for tracks in your home directory 
(.bash_history, .kde/*, .gnome/*, thumbails/*  ..). 
With PAM (pam_mount) it's possible to mount encrypted filesystems during the 
logon session. That means you could encrypt your whole home directory and 
mount it automaticlly during login. After you've logged out, PAM will unmount 
it for you.

Of course, you could do the same in some different ways (Many roads lead to 
Rome).. It was just an example of PAM's numerous capabilities. At the moment 
I'm enjoying little goodies like xauth forwarding when using su(1). (You may 
know this message: Xlib: connection to ":0.0" refused by server)

On Wednesday 31 May 2006 05:38, Brett Goulder wrote:
> It's a complex piece of code prone to problems and tends to introduce so
> much excess that I do NOT use, I figure that most people who just need a
> simple log in system as I do would also get annoyed.

I really don't know how to answer this. Sounds like you just hate PAM and I'm 
sure I cannot convince you of the opposite. But that's okay. 

PAM could cause problems, yes. But I still hope we can solve as much as 
possible at the outset with a proper default configuration.

> I'm a minimalist, I try to keep things as simple as possible, and I
> wouldn't be able to deal with having excess such as PAM on my system, as it
> contradicts my commitment to minimalist (one of the major reasons I choose
> CRUX and stuck with it was that it was minimalist out of the box).

Is CRUX a minimalist Linux distribution? I started with CRUX 0.7 or 0.8. At 
that time Per spoke of "lightweight", "i686-optimized" and "A distribution 
without useless or obsolete files" (so called junk files: README, INSTALL, 
bla). Did I misunderstand his primary goal from the beginning?

> Complexity of implementation and design, PAM is both implementation complex
> AND design complex, it rolls over the concept of KISS like a steamroller.

It's not _that_ hard. The pam(8) manpage gives you a short overview with just 
96 lines of text. It also says: 

"From the point of view of the system administrator, for whom this manual is 
provided, it is not of primary importance to understand the internal behavior 
of the Linux-PAM library."

By the way, a lot of pam modules provide their own manpage (e.g. man 8 
pam_cracklib).


Yesterday I summarized PAM enabled core ports in a tarball (cracklib, 
linux-pam, openssh, shadow)[1]. 

I'd like to thank you guys for your answers :-). They gave me an impression of 
what CRUX users think about my (revolutionary?) ideas and what I'll do in 
future.

bye, danm

[1] http://crux.danm.de/files/x86/pam/pam-ports.tar.gz
-- 
Daniel Mueller
Berlin, Germany         OpenPGP: 1024D/E4F4383A



More information about the crux-devel mailing list