I'd like to add <http://code.google.com/p/hardened-shadow/> to the tree.
It is an alternative implementation of shadow utilities (passwd, su,
login, etc) based on ideas from Openwall's tcb.

Earlier I tried upstreaming the Openwall's shadow patches, and you can
see a log of those efforts at
<http://comments.gmane.org/gmane.linux.debian.alioth.pkg-shadow/881>

In the end shadow-4.1.5 has some experimental support for tcb, but

1) It's incomplete (I didn't manage to upstream all Openwall's patches).
2) It's ugly (even more "special cases" in the already #ifdef-heavy
codebase).
3) It requires sys-auth/tcb, which doesn't work with vanilla glibc (I'm
maintaining tcb in Gentoo and have special patch for that, reviewed by
upstream), and is broken with recent glibc
(<https://bugs.gentoo.org/show_bug.cgi?id=371167>).

And now we have <http://code.google.com/p/hardened-shadow/> which is a
small alternative implementation, possibly going even further (the file
system layout is a bit different than with tcb).

I'd like to add virtual/shadow-0, with the following dependencies:

DEPEND=""
RDEPEND="|| ( >=sys-apps/shadow-4.1 sys-apps/hardened-shadow )"

hardened-shadow package is not yet in the tree, I'm going to be its
maintainer (base-system or anyone else is welcome to join), and the
ebuild is going to be very simple.

And then convert profiles to the new virtual (the relevant files; below
are all occurrences of sys-apps/shadow):

$ grep 'sys-apps/shadow' -r /usr/portage/profiles/
/usr/portage/profiles/ChangeLog-2011: Added sys-apps/shadow to
packages.build as we need it on stage1.
/usr/portage/profiles/prefix/packages:-*>=sys-apps/shadow-4.1
/usr/portage/profiles/prefix/package.provided:sys-apps/shadow-0
/usr/portage/profiles/base/packages:*>=sys-apps/shadow-4.1
/usr/portage/profiles/uclibc/packages.build:sys-apps/shadow
/usr/portage/profiles/default/bsd/ChangeLog: Add -*>=sys-apps/shadow-4.1
/usr/portage/profiles/default/bsd/package.mask:sys-apps/shadow
/usr/portage/profiles/default/bsd/packages:-*>=sys-apps/shadow-4.1
/usr/portage/profiles/default/linux/packages.build:sys-apps/shadow
/usr/portage/profiles/use.local.desc:sys-apps/shadow:audit - Enable
support for sys-process/audit
/usr/portage/profiles/use.local.desc:sys-apps/shadow:tcb - Enable
support for sys-auth/tcb

And any reverse dependencies (after testing):

<http://tinderbox.dev.gentoo.org/misc/dindex/sys-apps/shadow>

What do you think?

On 3/8/12 2:23 PM, "Paweł Hajdan, Jr." wrote:
> And then convert profiles to the new virtual (the relevant files; below
> are all occurrences of sys-apps/shadow):

Because of no comments, I went ahead and checked in
sys-apps/hardened-shadow and virtual/shadow, and now made changes in
profiles/

Please let me know if you see any problems after those changes,
especially related to stage generation, prefix, bsd, and uclibc.

On 12-03-2012 10:16:12 +0100, "Paweł Hajdan, Jr." wrote:
> On 3/8/12 2:23 PM, "Paweł Hajdan, Jr." wrote:
> > And then convert profiles to the new virtual (the relevant files; below
> > are all occurrences of sys-apps/shadow):
>
> Because of no comments, I went ahead and checked in
> sys-apps/hardened-shadow and virtual/shadow, and now made changes in
> profiles/
>
> Please let me know if you see any problems after those changes,
> especially related to stage generation, prefix, bsd, and uclibc.

My rsync0 now spits out this message:

Virtual package in package.provided: virtual/shadow-0
See portage(5) for correct package.provided usage.

I did not forsee this happening, but each and every Prefix user now gets
this complaint on each and every emerge invocation. It does not seem to
block any operation, but could we perhaps hold back further changes
until I can sort this out with Zac?

Thanks

--
Fabian Groffen
Gentoo on a different level

On 3/12/12 11:27 AM, Fabian Groffen wrote:
> My rsync0 now spits out this message:
>
> Virtual package in package.provided: virtual/shadow-0
> See portage(5) for correct package.provided usage.
>
> I did not forsee this happening, but each and every Prefix user now gets
> this complaint on each and every emerge invocation. It does not seem to
> block any operation, but could we perhaps hold back further changes
> until I can sort this out with Zac?

Ah, I read portage(5) now and adding a virtual to package.provided is
indeed explicitly prohibited.

I removed it, but some further changes might be required for prefix
(i.e. version number >= 4.1 in package.provided to satisfy the virtual),
and I'll indeed hold back further changes in that area,
and preferably just let you do any necessary fixes for prefix.

On 12-03-2012 11:35:43 +0100, "Paweł Hajdan, Jr." wrote:
> On 3/12/12 11:27 AM, Fabian Groffen wrote:
> > My rsync0 now spits out this message:
> >
> > Virtual package in package.provided: virtual/shadow-0
> > See portage(5) for correct package.provided usage.
> >
> > I did not forsee this happening, but each and every Prefix user now gets
> > this complaint on each and every emerge invocation. It does not seem to
> > block any operation, but could we perhaps hold back further changes
> > until I can sort this out with Zac?
>
> Ah, I read portage(5) now and adding a virtual to package.provided is
> indeed explicitly prohibited.
>
> I removed it, but some further changes might be required for prefix
> (i.e. version number >= 4.1 in package.provided to satisfy the virtual),
> and I'll indeed hold back further changes in that area,
> and preferably just let you do any necessary fixes for prefix.

Thanks a lot for your swift actions!


--
Fabian Groffen
Gentoo on a different level