Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bfa416c5-8baf-64ba-cdf7-8ebb83dfc26b@redhat.com>
Date: Fri, 23 Oct 2020 09:29:11 -0400
From: Carlos O'Donell <carlos@...hat.com>
To: Rich Felker <dalias@...c.org>, Arjun Shankar <arjun@...hat.com>
Cc: musl@...ts.openwall.com, Florian Weimer <fweimer@...hat.com>
Subject: Re: Plans to remove nscd in Fedora

On 10/19/20 9:08 PM, Rich Felker wrote:
> On Mon, Oct 19, 2020 at 07:13:31AM -0400, Arjun Shankar wrote:
>> Hi all,
>>
>> I am one of the maintainers for glibc in Fedora. We are planning to remove
>> nscd from Fedora in the near future, targeting the Fedora 34 release [1].
>>
>> Florian recently pointed out to me that this can impact users of musl-libc
>> binaries since musl is nscd-aware.
>>
>> I can see that the Fedora musl-libc package has no "official" dependent
>> packages (excepting musl-devel) in the Fedora repositories, but I expect
>> that there might be packages/applications from out of the distribution and
>> use cases that are affected by or possibly break with the removal of nscd.
>>
>> I'm writing to get some clarity on this.
>>
>> Best Regards,
>> Arjun
>>
>> [1] WIP: https://fedoraproject.org/wiki/Changes/RemoveNSCD
> 
> The only capacity in which musl uses nscd is to access custom
> user/group backends provided through it. musl specifically does not
> use nss itself because it's not compatible with static linking and
> because loading arbitrary module libraries into the calling process's
> core is not safe and goes against best practices. I believe the glibc
> folks were starting to realize this too, so it was kinda my hope that
> nscd would become the main/only way nss modules are accessed on glibc
> too.

My opinion is that we want something much thinner than nscd to provide
NSS for statically linked applications, and that such an interface
should not provide caching. If we really wanted we could keep the nscd
socket interface but implement an NSS daemon for this e.g. nssd that would
just run all the time and could be depended upon by static applications.
It would have to be well audited and very simple.

The caching that nscd does has many legacy problems that are better solved
and maintained by other daemons that implement a split NSS module approach
(as Florian notes).


-- 
Cheers,
Carlos.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.