On Thu, Oct 02, 2008 at 04:55:47PM +0200, Mark Phalan wrote: > On Wed, 2008-10-01 at 16:42 -0500, Will Fiveash wrote: > > On Wed, Oct 01, 2008 at 05:47:18PM +0200, Mark Phalan wrote: > > > On Mon, 2008-09-29 at 19:20 -0500, Will Fiveash wrote: > > > > On Thu, Aug 28, 2008 at 08:22:27PM +0200, Mark Phalan wrote: > > > > > > > > > > > > > > > I've just uploaded a webrev of my resync/pkinit workspace. There still > > > > > needs to be some work on pkinit so don't expect the code in > > > > > usr/src/lib/krb5/plugins/preauth/pkinit/ to be complete (you can > > > > > ignore > > > > > it for now). I'll post another incremental webrev with any changes I > > > > > make to the pkinit code later on. The rest of the changes are resync > > > > > changes for MIT 1.6.3. The hg comment needs to be updated, I'll do > > > > > that > > > > > once we get the pkinit PSARC case submitted. > > > > > > > > > > I've chunked the review up into four pieces as I expect the krb team > > > > > to > > > > > do the review. > > > > > > > > > > Shawn: Chunk 1 > > > > > Peter: Chunk 2 > > > > > Glenn: Chunk 3 > > > > > Will: Chunk 4 > > > > > > > > > > I'd like to have this completed by 17th Sept. Let me know if thats a > > > > > problem for anyone. > > > > > > > > > > webrev here: > > > > > http://cr.opensolaris.org/~mbp/pkinit/ > > > > > > > > Have you run this code through the lint -errsecurity=standard security > > > > checks? > > > > <see http://secprog.sfbay.sun.com/lint/levels.html> > > > > > > No. I was relying on the standard ON lint checks. I'll re-run with > > > "-errsecurity=standard" for the new pkinit code. > > > > Speaking of this, in > > usr/src/uts/common/gssapi/mechs/krb5/crypto/des/weak_key.c: > > > > 78 79 for (i = 0; i < (sizeof(weak)/sizeof(mit_des_cblock)); i++) { > > 79 - if (!memcmp((char *)weak_p++,(char > > *)key,sizeof(mit_des_cblock))) > > 80 + if (!memcmp(weak_p++,key,sizeof(mit_des_cblock))) > > 80 81 return 1; > > > > > > Why were the casts removed? Note that this code is common to user and > > kernel space and Wyllys had previously modified the kernel code to be > > lint clean. Did this change introduce any new lint warnings? > > No new lint warnings.
Ok, just checking. > What are the lint requirements for Kerberos? lint clean nightly run? > Certainly running "make lint" in most of the krb sub-dirs (current ON) > produces a lot of output. It is my understanding that Wyllys made the kernel krb mech source lint clean so only those files were affected. As far as reqs the internal Final Putback check list has this entry: - If you have touched a kernel file or header file, are you lint clean? And here: http://www.opensolaris.org/os/community/on/devref_toc/devref_7/ it states: 7.4 Using Lint The entire Solaris kernel and many libraries and commands are completely lint clean, both pass1 and pass2. It is important that we maintain this cleanliness as yet another tool to insure a high quality release. Although not all non-kernel code is lint-clean, new code should be, and all new commands and libraries should be entirely lint-clean. Lint-clean code should indicate to the build system that it should be linted. For an example of code in transition to lint-cleanliness, see usr/src/cmd/cmd-inet/usr.sbin/Makefile and the associated code. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/
