Hey Grzegorz, first of all, welcome to DragonFly!
Grzegorz Błach wrote:
I use DragonFly about 2 year, currently I am ready to submit my tweaks and extensions to DFly system.
Now for this list. We always should consider the positive and negative effects of change. I don't want to sound negative, so take everything with a grain of salt.
1. a) chg default password_format do blowfish since there are known algoritm of collision for md5.
I guess that's not much of a problem and possibly also does no harm. However, I doubt that the collisions can be exploited.
b) add support for openwall passwdqc (password checker) pam module (this was added to FreeBSD 5.0)
is that some kind of cracklib? unrelated to this, i've always wanted some sort of generic password generator in base...
c) add support for openwall tcb - the alternative to shadow (with pam module) which is more secure than pam_unix and pam_pwdb, because tools like 'passwd' or 'chage' don't neet SUID, instead it use SGID 'shadow'. Group 'auth' may be used to read-only access to all password hashes.
I am not convinced that this improves security. Could you please detail your security considerations? My point is: current tools have been exposed to security audit for over 20 years now, so unless something else is conceptually more secure, chances are high that we should stick with the original system.
2. a) Replace sendmail with postfix (with cyrus-sasl). It is faster and use cleaner config file.
We have support by Greg Shaprio, a sendmail developer. Unless postfix is equally well supported, I object replacing it. I am using postfix on all my systems myself, however. Pkgsrc can do an equally good job in fixing bugs etc. However, I would like to see a simple mail transport as complete replacement for sendmail. I have a concept in mind, but I didn't have enough time and muse to do it. Please refer to the archives for multiple sendmail vs postfix bikesheds.
b) Add imap-uw as simple pop3 and imap4 daemon.
I don't think this should be part of a BSD base distribution. Packages like these are easily installed by pkgsrc and on top of that are for sure subject of holy flamewars.
c) Add stunnel for SSL/TLS access to mail-related daemon.
In principle I would love to have some tool where I can spy into SSL/TLS connections (when they are being established). Not sure why you'd want to use stunnel, though.
3. Build alternative to pkgsrc packages system, which will be build on pacman from archlinux.org, and use tweaked PKGBUILD scripts. This packages system should be easier to maintain, and we will keep track on all our packages. For faster port packages to DFly, we can use makepkg with PKGBUILD (which is a shell script) or we can rewrite this scripts to Makefiles which will stop building package on error. I will rewrite pacman tool which will be use this same archive format, but for library to reading archives I'll use libarchive, and for fetching packages from net I'll use libfetch. I need name for this tool, because this should be different than pacman.
This is a very ambitious effort and I hope that somebody will join you. Yet you have to be aware of the fact that DragonFly is supported very well through pkgsrc, and this kind of coverage needs to be reached. You will have to get used to the thought that for quite some time you will have to maintain your system in parallel to convince people that it is possible and better than pkgsrc.
I hope I'll got write access to CVS for complete this steps.
I think most of the changes are either simple enough to be submitted via mail first and the other ideas should be discussed thoroughly first. As soon as the flood of (good) patches from you becomes a pain for the committers, you will get the opportunity to directly commit. In the meantime, you might want to consider setting up and serving an alternative git or hg repository (better development model in my opinion anyways). Contact me for details on hg and git feeds. cheers simon -- Serve - BSD +++ RENT this banner advert +++ ASCII Ribbon /"\ Work - Mac +++ space for low €€€ NOW!1 +++ Campaign \ / Party Enjoy Relax | http://dragonflybsd.org Against HTML \ Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \
signature.asc
Description: OpenPGP digital signature
