Hi folks, A new version of PAM (0.99.7.1-1) has been packaged and uploaded to experimental. This is intended to replace 0.79-4. However, because there have been quite a number of upstream changes, and all the Debian-specific patches against the old one were painstakingly re-diffed and updated by hand, and because a broken PAM means a rather broken system, this new version needs some wider testing before it is suitable for unstable. The work for this was done by myself and Jan Christoph Nordholz, who rewrote the @include patch, fixing a memory leak in the current code, as well as doing a lot of testing, building and general reviewing of the PAM packaging. It's thanks to Jan that it's ready for wider review, since I did all the rediffing back in April, but lacked time to squash the last few bugs. If anyone could take the time to install it, test all the services using PAM for authentication/authorisation still work as expected, and report any defects, that would be much appreciated. If you want to avoid breaking your system, it is advisable to install into a chroot. However, we have tested that basic functionality does work (su and passwd in particular), so it should be safe to install for real (but no guarantees are given). Additionally, all of the packages which Build-Depend, Depend or Recommend PAM packages should be tested against the new packages. A complete list is given below, and the maintainer's Bcc'd with this message. If you do hack on the PAM sources, note that the dpatch patch order is important--later patches do rely on earlier patches being present. Also, you need to run "debian/rules patch|unpatch" by hand, due to the need to re-bootstrap the autotools. To do that "debian/rules bootstrap" will do everything consistently, providing the patches are applied. Some bits which need wider review and discussion: Several of the Debian-specific patches should probably be removed. For example, the @include (Debian-specific) syntax should be replaced by the include mechanism added by upstream; we should make this a release goal for Lenny IMO. Maintaining Debian-specific hacks imposes a real burden on the PAM maintainers--it took over 15 man hours to do the main re-diffing, and the same again to get it working, which is ridiculous and error-prone. We could easily be introducing Debian-specific security bugs by doing so. Some checks such as the obscure checks for pam_unix and chroot limits for pam_limits should be dropped (who uses this functionality)? The obsure checks appear to predate PAM, but should cracklib not be the replacement? This non-standard stuff should really be deprecated, obsoleted, then dropped. What do other people think about this? The remaining patches should then really be pushed upstream, which possible now we are synched with their latest stable release. One other note: upstream now default to enabling cracklib in pam_unix (in addition to pam_cracklib), which causes passwd to do all the extra checks cracklib does. This has been disabled for now after discussion with Jan, because it brings in quite a few dependencies into base, and may not be generally wanted. It also breaks passwd if you don't have cracklib-runtime *and* a wordlist *and* run update-cracklib, so this needs some fixing of dependencies and coordination to do properly. It might be worth re-adding, if there was consensus for that. I'm not yet sure how this differs from the pam_cracklib functionality, however. Regards, Roger Laszlo Boszormenyi (GCS) <gcs@debian.hu> gradm2 Stefan Hornburg (Racke) <racke@linuxia.de> courier courier-authlib pure-ftpd Richard A Nelson (Rick) <cowboy@debian.org> libnss-ldap libpam-ldap Marco Presi (Zufus) <zufus@debian.org> linesrv Krzysztof Krzyzaniak (eloy) <eloy@debian.org> popa3d Russ Allbery <rra@debian.org> libpam-afs-session Sebastien Bacher <seb128@debian.org> libgnomesu Carlos Barros <cbf@debian.org> tac-plus Dima Barsky <dima@debian.org> python-pam Vincent Bernat <bernat@luffy.cx> xrdp Michael Biebl <biebl@debian.org> partimage Laurent Bigonville <bigon@bigon.be> pam-keyring Blars Blarson <blarson@blars.org> nntp Primoz Bratanic <primoz@slo-tech.com> pam-pgsql Joachim Breitner <nomeata@debian.org> poldi Adrian Bridgett <bridgett@debian.org> dante Chris Butler <chrisb@debian.org> wu-ftpd Rubén Porras Campo <nahoo@inicia.es> libpam-encfs Pierre Chifflier <chifflier@inl.fr> nufw wzdftpd Adam Conrad <adconrad@0c3.net> poppassd Christopher Cramer <crayc@dapac.org> usermode Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org> cupsys Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org> cyrus-sasl2 cyrus-sasl2-heimdal Debian Cyrus Team <pkg-cyrus-imapd-debian-devel@lists.alioth.debian.org> cyrus-imapd-2.2 Debian Edu Developers <debian-edu@lists.debian.org> debian-edu Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org> gdm Debian Kolab Maintainers <pkg-kolab-devel@lists.alioth.debian.org> kolab-cyrus-imapd Debian Multimedia Team <debian-multimedia@lists.debian.org> jack-audio-connection-kit Debian OpenOffice Team <debian-openoffice@lists.debian.org> openoffice.org Debian OpenSSH Maintainers <debian-ssh@lists.debian.org> openssh Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org> php5 Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> kdeadmin kdebase Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org> samba Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org> bayonne Debian X Strike Force <debian-x@lists.debian.org> xdm Debian buildd-tools Developers <buildd-tools-devel@lists.alioth.debian.org> schroot Eric Dorland <eric@debian.org> pam-p11 Paul Dwerryhouse <paul@dwerryhouse.com.au> kannel Peter Eisentraut <petere@debian.org> pgpool Rene Engelhard <rene@debian.org> away Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org> exim4 Gerfried Fuchs <alfie@debian.org> francine Luigi Gangitano <luigi@debian.org> squid squid3 Bdale Garbee <bdale@gag.com> sudo Matthew Garrett <mjg59@srcf.ucam.org> libpam-foreground Thomas Goirand <thomas@goirand.fr> dtc Stephen Gran <sgran@debian.org> freeradius Debian QA Group <packages@qa.debian.org> pexts Yu Guanghui <ygh@debian.org> qpopper Guido Guenther <agx@sigxcpu.org> libpam-ccreds Pierre Habouzit <madcoder@debian.org> ldapscripts Christian Hammers <ch@debian.org> quagga Sam Hartman <hartmans@debian.org> libpam-krb5 openafs pam Tollef Fog Heen <tfheen@debian.org> pam-passwdqc pam-tmpdir pam-umask Henrique de Moraes Holschuh <hmh@debian.org> fcron Simon Horman <horms@debian.org> heartbeat perdition Alberto Gonzalez Iniesta <agi@inittab.org> linux-ftpd netkit-rsh openvpn Joerg Jaspert <joerg@debian.org> muddleftpd Arthur de Jong <adejong@debian.org> nss-ldapd Guillem Jover <guillem@debian.org> inetutils lockvc Stephan Kaufhold <s.kaufhold@1stbna.com> libpam-pwgen Bastian Kleineidam <calvin@debian.org> libpam-mount Ivan Kohler <ivan-debian@420.am> libpam-unix2 Anand Kumria <wildfire@progsoc.org> pam-http Oliver Kurth <oku@debian.org> pam-dotfile Aurelien Labrosse <aurelien.labrosse@free.fr> libpam-ssh Asheesh Laroia <asheesh@asheesh.org> alpine Simon Law <sfllaw@debian.org> lsh-utils wvstreams Jeff Licquia <licquia@debian.org> diald John Lightsey <lightsey@debian.org> apt-watch Francesco Paolo Lovergine <frankie@debian.org> proftpd-dfsg yardradius Robert Luberda <robert@debian.org> solid-pop3d super Dovecot Maintainers <jaldhar-dovecot@debian.org> dovecot OHURA Makoto <ohura@debian.org> xemacs21 Jordi Mallach <jordi@debian.org> mailutils Roland Mas <lolando@debian.org> gforge Peter Mathiasson <peterm@debian.org> pam-devperm Martin Maurer <fireflier@gibraltar.at> fireflier Rene Mayrhofer <rmayr@debian.org> openswan strongswan Steve McIntyre <93sam@debian.org> cvs Matthijs Mohlmann <matthijs@cacholong.nl> libpam-heimdal Ryan Murray <rmurray@debian.org> at Jaakko Niemi <liiwi@debian.org> sfs Fabio M. Di Nitto <fabbione@fabbione.net> libpam-radius-auth Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> screen Greg Norris <adric@debian.org> libpam-pwdfile Alvaro Lopez Ortega <alvaro@gnu.org> cherokee Erlang Packagers <erlang-pkg-devel@lists.berlios.de> yaws Peter Palfrader <weasel@debian.org> uucp vlock Eloy A. Paris <peloy@debian.org> ncpfs Jose Parrella <joseparrella@cantv.net> libpam-rsa libpam-usb Guilherme de S. Pastore <gpastore@debian.org> gnome-screensaver Javier Fernandez-Sanguino Pen~a <jfs@computer.org> cron libpam-chroot Christian Perrier <bubulle@debian.org> calife Martin Pitt <mpitt@debian.org> postgresql-8.1 postgresql-8.2 Cai Qian <caiqian@debian.org> linux-ftpd-ssl Florian Ragwitz <rafl@debianforum.de> libauthen-pam-perl Ganesan Rajagopal <rganesan@debian.org> ipsec-tools Sebastian Rittau <srittau@debian.org> netatalk Jose Luis Rivas <ghostbar38@gmail.com> xscreensaver Ghe Rivero <ghe@upsa.es> libuser Piotr Roszatycki <dexter@debian.org> libapache2-mod-auth-pam Ludovic Rousseau <rousseau@debian.org> muscleframework Giuseppe Sacco <eppesuig@debian.org> hylafax Riccardo Setti <giskard@autistici.org> aolserver4-nsimap Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org> shadow Vladimir Shakhov <lumpen.intellectual@gmail.com> wdm Guus Sliepen <guus@debian.org> rsh-redone Jonas Smedegaard <dr@jones.dk> libmail-cclient-perl uw-imap Roger So <rogerso@debian.org> im-sdk Manoj Srivastava <srivasta@debian.org> policycoreutils refpolicy Riccardo Stagni <unriccio@email.it> qingy Michael Stone <mstone@debian.org> libpam-opie opie xlockmore Debian Shishi Team <help-shishi@gnu.org> shishi Andreas Tscharner <andy@vis.ethz.ch> cvsnt Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org> network-manager Matej Vela <vela@debian.org> vsftpd Jelmer Vernooij <jelmer@samba.org> pam-krb5-migrate Paweł Więcek <coven@debian.org> pam-mysql Carsten Wolff <carsten@wolffcarsten.de> php-auth-pam Marco d'Itri <md@linux.it> inn2 ppp -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Attachment:
pgphewyx2EXpO.pgp
Description: PGP signature