Josh, I took a look at writing a patch to implement dlopen of the appropriate RPC libraries for NIS support in pam.
It looked a bit more thorny than I'd feel comfortable with unless I had substantial review, and it looks like my non-Debian commitments are picking up. Thoughts: * If it's going to happen for bullseye, it needs to be written, reviewed and uploaded by the 12th. * If it's going to happen it needs to not be vetoed by Steve. (Steve said he'd be happy with my help on PAM this week, but he's still the maintainer) * I'd want an independent review of the patch from someone different from whoever wrote it. I'd want the reviewer and the author to test the patch against a NIS environment. Based on my schedule that basically means that someone would need to write a patch, test it, and propose by Saturday. If that happens I'll commit to reviewing, testing, and if we can resolve any issues that come up, uploading. My review criteria would be: 1) Confidence that the patch does not introduce new security problems. The control flow in pam_unix_password.c is already kind of complex, and it seems like it would be easy to introduce bugs by changing that. 2) Maintenance. Is it likely that Debian's going to be able to carry the patch long-term? I doubt we'll see upstream take the patch. One test of this will be to confirm that the patch is easy to deal with for the 1.4.0 release of PAM in Debian and the 1.5.1 release upstream. But there's also a subjective judgment. 3) Ability to detect changes in dependencies. Presumably we'd move dependencies to recommends rather than depends. I'd want to review and make sure we were likely to detect those recommends becoming out of date. One way to handle that would be to produce an autopkgtest that tested the NIS code. (PAM currently has no autopkgtests). It's possible that if we had a plan, that could be deferred a bit in implementation, so long as we had something in place when things thaw. Honestly, what I'm proposing is a tight schedule. So I suspect this isn't happening for bullseye. But I wanted to let you know where my availableavailability as a PAM uploader was, and that I didn't have time to write the patch myself. --Sam
signature.asc
Description: PGP signature