Hi folks, As of glibc 2.32, upstream has split out RPC support; if you want RPC functionality, you now need to link against libtirpc instead, which is a superior, more featureful implementation. This is a good thing architecturally, but one of the side effects for us is that, via PAM, we are now pulling a large number of crypto libraries into the transitively-essential set, because pam_unix links against libtirpc for NIS / NIS+ support. Sam Hartman made a valiant attempt to make this an optional dynamic dependency, but ultimately abandoned the effort. So I'd like to take a step back and challenge an underlying assumption by asking: do any of our users actually *need* this functionality? The RPC functionality is only used for NIS and NIS+. NIS is historically quite insecure, and I'm not aware of any efforts to improve its security (AFAIK the linkage of the crypto libraries doesn't fix the fundamentally insecure interfaces of NIS). NIS+ is intended to be a more secure version of NIS, but to my knowledge there has never been a free implementation in the archive; this was a Sun-specific technology, which Sun deprecated two decades ago[1]. If we dropped support for NIS and NIS+ in the next Debian release, would anybody miss it? Or has everyone moved on to LDAP / AD by now? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org [1] "Prior to the release of Solaris 9 in 2002, Sun announced its intent to remove NIS+ from Solaris in a future release and now recommends that customers instead use an LDAP-based lookup scheme." https://en.wikipedia.org/wiki/NIS+
Attachment:
signature.asc
Description: PGP signature