new dependency libbsd
fjaell opened this issue · 6 comments
as of shadow 4.14 a new dependency to libbsd was introduced. That's because of the new file libmisc/agetpass.c.
I'd suggest to make that dependency optional, because not every distribution includes libbsd in the core/base system, CRUX as an example.
Thanks.
What speaks against adding libbsd to your base system?
Recently, I have become aware of such a problem. Apparently, this library contains functionality that is incompatible with glibc. This problem makes it very difficult for Fedora and its derivatives to continue using libbsd.
From a shadow maintainer perspective I'd like to continue using libbsd, but from a Fedora maintainer perspective it's clear that libbsd is a problem. I'm at a crossroads right now.
One week ago, glibc 2.38 was released. It adds the strlcpy(3) and strlcat(3) set of APIs. This means that the only dep from libbsd is readpassphrase(3bsd).
https://sourceware.org/pipermail/libc-alpha/2023-July/150524.html
I strongly oppose rewriting readpassphrase(3bsd), as it's very difficult to write that function, and it's a critical one.
However, since we both use the BSD license, I guess it's fair to just copy&paste it to shadow as a temporary stop-gap.
But I suggest that downstream distros that /need/ to avoid libbsd do that.
For upstream shadow, I prefer to keep the libbsd dep, and push distributors to add libbsd to their base system as much as possible. That, or push libc implementations to provide readpassphrase(3). :)
EDIT:
I've now seen the concerns about fgetln(3) and arc4random(3) that you linked. We knew about the arc4random(3) one and workarounded it. We didn't know about fgetln(3), but it's not a problem for shadow, since we don't have multi-threaded programs (AFAIK).
So, none of them are issues to shadow, AFAICS.
Apart from adding readpassphrase() to the project I also had to revert 1482224, as freezero() is only provided by libbsd. If anyone would like to reuse the patches they are available at https://github.com/ikerexxe/shadow/tree/remove_libbsd.
@hallyn, I wonder, should I propose a PR (after some cleaning) to include those changes upstream?
That sounds good, thanks.