current-users: Re: integrating PAM

Subject: Re: integrating PAM
To: NetBSD-current Discussion List <current-users@NetBSD.ORG>
From: David Maxwell <david@vex.net>
List: current-users
Date: 01/27/2003 14:06:25
On Mon, Jan 27, 2003 at 01:47:49PM -0500, Dan Melomedman wrote:
> David Maxwell wrote:
> > On Sat, Jan 25, 2003 at 11:58:18PM -0500, Greg A. Woods wrote:
> > > [ On Thursday, January 23, 2003 at 22:54:49 (-0500), David Maxwell wrote: ]
> > > > Subject: Re: integrating PAM
> > > >
> > > > There exist buggy PAM modules != PAM is bad.
> > > 
> > > Yes, but the number lines-of-code does give a good hint towards the
> > > number of bugs that might be expected in it.
> > 
> > Bzzzt.
> > Thanks for retrying the Dan's argument again.
> > How many lines-of-code are there in NetBSD's PAM implementation?
> 
> Bzzt. That was in reference to the pam-ldap module lines of code, not
> NetBSD PAM implementation lines of code.

I appreciate that you can read it that way, but there's no context in
that message to indicate that.

Here's the complete original from Greg:

> Subject: Re: integrating PAM
> To: None <current-users@netbsd.org>
> From: Greg A. Woods <woods@weird.com>
> List: current-users
> Date: 01/25/2003 23:58:18 
> [ On Thursday, January 23, 2003 at 22:54:49 (-0500), David Maxwell wrote: ]
> > Subject: Re: integrating PAM
> >
> > There exist buggy PAM modules != PAM is bad.
> 
> Yes, but the number lines-of-code does give a good hint towards the
> number of bugs that might be expected in it.
> 
> Large and complex code is bad, and doubly so when it has to run as root,
> triply so if it also _requires_ dynamic loading of new object code.
> 
> The BSD Auth code is truly quite small and it's also quite readable and
> the design is very elegant and clean.  It's bound to have fewer bugs
> than an equally mature PAM implementation.
> 
> -- 
>                                                                 Greg A. Woods
> 
> +1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>

I don't see the word 'ldap' in there and I don't see the word 'module'
in there. I do see the phrase 'PAM implementation'.

Also, in any case,

There exist large buggy PAM modules != There cannot exist small,
                                       bug-free PAM modules.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville