Date: Sat, 24 Sep 2011 23:13:57 -0400 (EDT) From: Benjamin Kaduk <kaduk@MIT.EDU> To: Ryan Steinmetz <rpsfa@rit.edu> Cc: freebsd-security@freebsd.org Subject: Re: PAM modules -> LDAP! Message-ID: <alpine.GSO.1.10.1109242259090.882@multics.mit.edu> In-Reply-To: <20110925001258.GA28508@fast.rit.edu> References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> <20110917135341.GA23643@fast.rit.edu> <20110925001258.GA28508@fast.rit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 24 Sep 2011, Ryan Steinmetz wrote: > > I think an interesting concept would be something that gave us the > ability to (easily) tie certain ports into software from the base system. > Something that would allow the software to be more easily kept current. > Perhaps this could be done via some sort of base-integrated ports > category that require extra-special care/controls when being updated. I would very much love a way to tie certain ports into the base system, by which I mean have the base system utilities link against libraries provided by a port. (My particular example at hand would be to link ssh and friends against MIT kerberos from ports, but there are a goodly number of other examples.) Yet, in order for the benefits of ports to work, there would need to be a way to hook into the base system to get these utilities updated with port updates, and probably a way to disable the base system version of the libraries but still have utilities link against them (from ports). I do not think this is possible without a great deal of build infrastructure work; certainly just a special category of port is insufficient, as it sould still have the update problem. Though perhaps my vision is not exactly what you are aiming for ... > > Using the above idea, perhaps we could have ISOs or the like available > that include these 'base-integrated' ports pre-installed, thus giving > users the ability to (effectively) have an out-of-the-box solution that > included LDAP support, etc., while still having these 'base-integrated' > ports loosely coupled with the base OS. The concept could keep the base > system lean, but provide the flexibility that users desire. People seem to have concerns about the ability of (some) mirrors to cope with huge piles of data, particularly in the context of regularly updated package sets from ports. Those concerns would seem to apply to this as well, as it would apply a scaling factor to the number of isos involved. Now, having an extra option in the installer "Do you want to install the LDAP package? (y/n)" is another matter, and potentially doable. (Though given that perl was pulled *out* of this near-base status in the fairly recent past does give one pause ...) > > Obviously there are some complexities associated with implementing the > framework and details that would need to be worked out, but this could > address: > -The desire to keep the base system lean > -The desire to provide certain features out-of-the-box > -The ability to keep these 'base-integrated' ports more current in terms > of features/functionality My main concern is with respect to the third point, in making sure that there do not creep in interdependencies that make updating the port components complicated or fragile. -Ben Kaduk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.GSO.1.10.1109242259090.882>