Hi, 在 2022-04-20星期三的 10:57 -0700,Steve Langasek写道: > Hi folks, > > As of glibc 2.32, upstream has split out RPC support; if you want RPC > functionality, you now need to link against libtirpc instead, which is a > superior, more featureful implementation. > > This is a good thing architecturally, but one of the side effects for us is > that, via PAM, we are now pulling a large number of crypto libraries into > the transitively-essential set, because pam_unix links against libtirpc for > NIS / NIS+ support. > > Sam Hartman made a valiant attempt to make this an optional dynamic > dependency, but ultimately abandoned the effort. > > So I'd like to take a step back and challenge an underlying assumption by > asking: do any of our users actually *need* this functionality? The RPC > functionality is only used for NIS and NIS+. NIS is historically quite > insecure, and I'm not aware of any efforts to improve its security (AFAIK > the linkage of the crypto libraries doesn't fix the fundamentally insecure > interfaces of NIS). NIS+ is intended to be a more secure version of NIS, > but to my knowledge there has never been a free implementation in the > archive; this was a Sun-specific technology, which Sun deprecated two > decades ago[1]. > > If we dropped support for NIS and NIS+ in the next Debian release, would > anybody miss it? Or has everyone moved on to LDAP / AD by now? Before any discussion takes place, I would like to point out a previous attempt of Fedora trying to get rid of NIS/NIS+ back in 2021. Please check out the LWN article at https://lwn.net/Articles/874174/ , which would definitely be helpful for the condition in Debian. Thanks, Boyuan Yang
Attachment:
signature.asc
Description: This is a digitally signed message part