pam_pkcs11-0.5.3 in test stage

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

pam_pkcs11-0.5.3 in test stage

Jonsy (teleline)
AFAIK, there are no more items pending for pam_pkcs11-0.5.3

My plan is release it next Monday, so please, test and send
bugreports, documentation issues and/or fixes before Sunday.

Dominik:
- Need you to test changes I've made on your ldap_mapper,
- Could you write a docbook xml chapter on ldap configuration?
Thanks

I know lots of things needs improvements (see TODO). Specifically:

- Handling of login find() mapper function is far of goodness,
and raises on problems when the user database is too big or
multiple remote queries are needed
- CA files are restricted to be as local hashdir. Need to recode
to accept "any" CA source. Same applies to "offline" CRL checks
- PIN query is another history... ( tons of mails in this list :)
Still need consensus
- Convergence with rest of OpenSC team applications: use libp11,
same coding conventions, and so
- What's on Debian packaging? Sorry: I use Fedora, so I only can
code and test .rpm :-)
- What's on Document generation? (Changelog, doxygen, html files)

Anyway, note that most of these items are not scheduled for 0.5.3.
My inmediate interest is publish on Monday a well documented,
mostly bugfree'd release, not adding new features.

Thanks
Juan Antonio


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Ludovic Rousseau
On 07/09/05, Jonsy (teleline) <[hidden email]> wrote:
> AFAIK, there are no more items pending for pam_pkcs11-0.5.3
>
> - What's on Debian packaging? Sorry: I use Fedora, so I only can
> code and test .rpm :-)

I can provide a Debian package. In fact I generate it for my own use
so it is no extra work to put it somewhere. But I don't know where to
put it.

The OpenSC.org site does not distribute binary packages, right?
I don't think it should. Binary packages should be provided by distributors.

> Anyway, note that most of these items are not scheduled for 0.5.3.
> My inmediate interest is publish on Monday a well documented,
> mostly bugfree'd release, not adding new features.

Bugfree? :-)
I can't compile the ldap-mapper anymore:
../../../src/mappers/ldap_mapper.c: In function 'ldap_get_certificate':
../../../src/mappers/ldap_mapper.c:107: error: 'LDAP_SCOPE_SUB'
undeclared (first use in this function)

I know (almost) nothing about ldap. All I have in /usr/include/ldap.h
(from libldap2-dev 2.1.30-8) regarding LDAP_SCOPE_*  is:
[...]
/* search scopes */
#define LDAP_SCOPE_DEFAULT      ((ber_int_t) -1)
#define LDAP_SCOPE_BASE         ((ber_int_t) 0x0000)
#define LDAP_SCOPE_ONELEVEL     ((ber_int_t) 0x0001)
#define LDAP_SCOPE_SUBTREE      ((ber_int_t) 0x0002)
[...]

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Jonsy (teleline)
El mié, 07-09-2005 a las 14:23 +0200, Ludovic Rousseau escribió:
[...]

> I know (almost) nothing about ldap. All I have in /usr/include/ldap.h
> (from libldap2-dev 2.1.30-8) regarding LDAP_SCOPE_*  is:
> [...]
> /* search scopes */
> #define LDAP_SCOPE_DEFAULT      ((ber_int_t) -1)
> #define LDAP_SCOPE_BASE         ((ber_int_t) 0x0000)
> #define LDAP_SCOPE_ONELEVEL     ((ber_int_t) 0x0001)
> #define LDAP_SCOPE_SUBTREE      ((ber_int_t) 0x0002)
> [...]

From my (FC4) ldap.h:

[jantonio@jonsy svn]$ grep LDAP_SCOPE_ /usr/include/*ldap*
/usr/include/ldap.h:#define LDAP_SCOPE_DEFAULT  ((ber_int_t) -1)
/usr/include/ldap.h:#define LDAP_SCOPE_BASE     ((ber_int_t) 0x0000)
/usr/include/ldap.h:#define LDAP_SCOPE_BASEOBJECT       LDAP_SCOPE_BASE
/usr/include/ldap.h:#define LDAP_SCOPE_ONELEVEL ((ber_int_t) 0x0001)
/usr/include/ldap.h:#define LDAP_SCOPE_ONE      LDAP_SCOPE_ONELEVEL
/usr/include/ldap.h:#define LDAP_SCOPE_SUBTREE  ((ber_int_t) 0x0002)
/usr/include/ldap.h:#define LDAP_SCOPE_SUB      LDAP_SCOPE_SUBTREE

AnyWay, Fixing svn....

Juan Antonio


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Andreas Jellinghaus-2
In reply to this post by Ludovic Rousseau
On Wednesday 07 September 2005 14:23, Ludovic Rousseau wrote:
> The OpenSC.org site does not distribute binary packages, right?
> I don't think it should. Binary packages should be provided by distributors.

well, we did, but once eric had official packages in debian, we removed
them, as we didn't maintain them and he did a better job at packaging anyway.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Dominik Fischer
In reply to this post by Ludovic Rousseau
Am Mittwoch, den 07.09.2005, 14:23 +0200 schrieb Ludovic Rousseau:

> Bugfree? :-)
> I can't compile the ldap-mapper anymore:
> ../../../src/mappers/ldap_mapper.c: In function 'ldap_get_certificate':
> ../../../src/mappers/ldap_mapper.c:107: error: 'LDAP_SCOPE_SUB'
> undeclared (first use in this function)
>
> I know (almost) nothing about ldap. All I have in /usr/include/ldap.h
> (from libldap2-dev 2.1.30-8) regarding LDAP_SCOPE_*  is:
> [...]
> /* search scopes */
> #define LDAP_SCOPE_DEFAULT      ((ber_int_t) -1)
> #define LDAP_SCOPE_BASE         ((ber_int_t) 0x0000)
> #define LDAP_SCOPE_ONELEVEL     ((ber_int_t) 0x0001)
> #define LDAP_SCOPE_SUBTREE      ((ber_int_t) 0x0002)
> [...]

I have these in my ldap.h (OpenLDAP 2.2.23).

/* search scopes */
#define LDAP_SCOPE_DEFAULT              ((ber_int_t) -1)         /*
OpenLDAP extension */
#define LDAP_SCOPE_BASE                 ((ber_int_t) 0x0000)
#define LDAP_SCOPE_BASEOBJECT   LDAP_SCOPE_BASE
#define LDAP_SCOPE_ONELEVEL             ((ber_int_t) 0x0001)
#define LDAP_SCOPE_ONE                  LDAP_SCOPE_ONELEVEL
#define LDAP_SCOPE_SUBTREE              ((ber_int_t) 0x0002)
#define LDAP_SCOPE_SUB                  LDAP_SCOPE_SUBTREE

It's no problem to change LDAP_SCOPE_SUB to LDAP_SCOPE_SUBTREE.

Regards,
Dominik

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Jonsy (teleline)
In reply to this post by Andreas Jellinghaus-2
El mié, 07-09-2005 a las 16:17 +0200, Andreas Jellinghaus escribió:
> On Wednesday 07 September 2005 14:23, Ludovic Rousseau wrote:
> > The OpenSC.org site does not distribute binary packages, right?
> > I don't think it should.
> >Binary packages should be provided by distributors.

I agree too. Don't distribute binaries! Use the Source, Luke!(tm)
In fact, my (only) work in rpm files is:
- Provide a reference "pam_pkcs11.spec" file
- Make sure that "make dist" generates a tgz file that works
  fine with "rpmbuild -ta pam_pkcs11-x.y.z.tar.gz" with FC4
  ( I don't like "wild packages" running at my home PC ... :)

My question was on specific Debian files and structures needed
to generate .deb packages, as I've seen in other projects.
Anyway, if there is already an "un-official OpenSC Debian packager"
less work for us :-)

Juan Antonio
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Ville Skyttä-2
In reply to this post by Jonsy (teleline)
On Wed, 2005-09-07 at 13:19 +0200, Jonsy (teleline) wrote:

> - What's on Debian packaging? Sorry: I use Fedora, so I only can
> code and test .rpm :-)

FYI, there's a pam_pkcs11 submission to Fedora Extras under review,
along with some issues and patches you might want to look into:
https://bugzilla.redhat.com/165899
http://cvs.fedora.redhat.com/viewcvs/rpms/pam_pkcs11/devel/?root=extras

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Jonsy (teleline)
El mié, 07-09-2005 a las 20:25 +0300, Ville Skyttä escribió:
> On Wed, 2005-09-07 at 13:19 +0200, Jonsy (teleline) wrote:
> > - What's on Debian packaging? Sorry: I use Fedora, so I only can
> > code and test .rpm :-)
> FYI, there's a pam_pkcs11 submission to Fedora Extras under review,
> along with some issues and patches you might want to look into:
> https://bugzilla.redhat.com/165899
> http://cvs.fedora.redhat.com/viewcvs/rpms/pam_pkcs11/devel/?root=extras

- badstatic patch: it's unnecessary for 0.5.3. Fixed sometime ago...

- pki patch: (use of /etc/pki/pam_pkcs11 instead of /etc/pam_pkcs11)
Not sure. As your bugtracker notices, use of /etc/pki/* is new to FC4.
What's about it in other distributions?.

I'm still studying your .spec file and porting back to svn

Thanks for the links

Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Ville Skyttä-2
On Wed, 2005-09-07 at 20:47 +0200, juan antonio martinez wrote:

> - pki patch: (use of /etc/pki/pam_pkcs11 instead of /etc/pam_pkcs11)
> Not sure. As your bugtracker notices, use of /etc/pki/* is new to FC4.

Yes.

> What's about it in other distributions?.

I don't know, but I guess it varies wildly.  I also vaguely remember
someone mentioning that the /etc/pki suggestion was also sent to LSB/FHS
folks.  But don't quote me on that.

> I'm still studying your .spec file and porting back to svn

BTW, it's not my specfile [1], I'm just reviewing the package
submission.  Tom Callaway is the submitter.

Random thoughts: depending on what your plans are for the specfile in
svn/pam_pkcs11 tarball, some caution would be in order.  The
package/specfile under review in bugzilla.redhat.com is without a doubt
pretty Fedora/Red Hat specific, so in case you're providing a generic
specfile for rpm based distros in general, that one might not be the
best example to adopt as a whole.  On the other hand, if you're
providing it for Fedora users, well, there's going to be another one in
Fedora Extras, so if you're interested, you might just as well help with
the package there and drop the specfile from the pam_pkcs11
tarball/svn...

Oh, and BTW, I'm on the opensc list, no need for a personal copy for
replies.

[1] OTOH I did write a specfile for pkcs11_login a long time ago, which
to my surprise was apparently later included in the
pkcs11_login/pam_pkcs11 distribution almost verbatim (with the changelog
stripped without any credit left, tsk tsk ;)).  I don't remember whether
the current specfile under review is based on that or not.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: pam_pkcs11-0.5.3 in test stage

Ville Skyttä-2
On Wed, 2005-09-07 at 22:26 +0300, Ville Skyttä wrote:

> [1] OTOH I did write a specfile for pkcs11_login a long time ago, which
> to my surprise was apparently later included in the
> pkcs11_login/pam_pkcs11 distribution almost verbatim (with the changelog
> stripped without any credit left, tsk tsk ;)).

Blah, the above is BS and the changelog is still there, I've confused it
with something else.  Sorry about the noise, should have double checked
first.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: pam_pkcs11-0.5.3 in test stage

Peter Stuge
In reply to this post by Jonsy (teleline)
On Wed, Sep 07, 2005 at 08:47:44PM +0200, juan antonio martinez wrote:
> - pki patch: (use of /etc/pki/pam_pkcs11 instead of /etc/pam_pkcs11)
> Not sure. As your bugtracker notices, use of /etc/pki/* is new to
> FC4.
> What's about it in other distributions?.

New to me, I mostly run Gentoo these days but have some Slackware and
OwL around too.


//Peter
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Andreas Jellinghaus-2
In reply to this post by Jonsy (teleline)
Hi Jonsy,

please let me know what we should do with the web page.
I guess we want:
 - add a news entry (new file in news/ subdir)
 - add a line to the LATEST file with the pam_pkcs11 version.
 - anything else?

I guess you can checkout and modify the web page, too
(/svn/web/trunk/ ... ), if I can be of any help, please
let me know. Also feel free to post to opensc-announce,
either Nils or I will approve your posting (or any other
developer that remembers the moderation password).

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Jonsy (teleline)
El dom, 11-09-2005 a las 19:35 +0200, Andreas Jellinghaus escribió:
> Hi Jonsy,
> please let me know what we should do with the web page.
> I guess we want:
>  - add a news entry (new file in news/ subdir)
>  - add a line to the LATEST file with the pam_pkcs11 version.
I should be able by myself to do this with svn... :-)

>  - anything else?

- Not sure about how to submit pam_pkcs11-0.5.3.tar.gz to
"/files" directory
- How and where to submit md5/sha1 sums files. btw, your doc
only talks about gpg signatures...

What's on OpenSC Team maintainance politics:
I want to start asap in pam_pkcs11-0.6. But unfortunatelly,
I'm sure 0.5 won't be a dead tree. My assumptions are:
- Use "trunk" as development tree for 0.6
- Use "releases" to store vanilla 0.5.3
- Use "branches" to store updates and fixes for 0.5.3

Is this correct? Else, what's the right way to do(tm)?

Of course, I'll send opensc-announce propper email

Thanks
Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 in test stage

Andreas Jellinghaus-2
On Monday 12 September 2005 09:39, Jonsy (teleline) wrote:
> - Not sure about how to submit pam_pkcs11-0.5.3.tar.gz to
> "/files" directory

right, about time I fix that. We have a "files" repository and
now it also has content. so if you add your file to that svn
directory and commit them, they will be placed in /files/ url.

warning: a files checkout is ~ 50 MB (all opensc/ct/... releases
ever).

> - How and where to submit md5/sha1 sums files. btw, your doc
> only talks about gpg signatures...

we have doc about gpg signatures? hu, where?

I know gpg signatures were used once, but noone has the key for
them, so ...

currently we don't use any MD5/sha1/gpg signature mechanism.
but feel free to start an MD5SUMS file or whatever :)

> What's on OpenSC Team maintainance politics:
> I want to start asap in pam_pkcs11-0.6. But unfortunatelly,
> I'm sure 0.5 won't be a dead tree. My assumptions are:
> - Use "trunk" as development tree for 0.6
> - Use "releases" to store vanilla 0.5.3
> - Use "branches" to store updates and fixes for 0.5.3

with opensc I have: trunk for 0.10.* development,
branches/opensc-0.9 for 0.9.* maintenance,
releases/opensc-0.9.X for releases.

once the tar file is published the releases/
directory is no longer touched.

I think it works well this way, but if you want to do different,
that is also fine.

earlier I did:
 - change the configure.ac file (version number) in trunk,
   cp trunk to releases/whatever, change configure.ac in trunk
   back to "WIP".

recently I started to do instead:
 - cp trunk to releases/whatever, checkout that dir, edit
   configure.ac. a bit less work, and while the tar.gz isn't
   published, I can still do changes in there.

also I now create for example releases/openct-0.6.6, but
change the version only to 0.6.6-rc1, then -rc2, ....
i.e. no extra structure for pre-releases. I think we won't
need them after the real release (and if someone wants them,
we still have the tar.gz file and we know which revision of
the release/openct-0.6.6 tree was used for the release).

currently I'm quite happy working like that. might work well
for you too, but feel free to do whatever suits you best.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11-0.5.3 released

Jonsy (teleline)
El lun, 12-09-2005 a las 10:36 +0200, Andreas Jellinghaus escribió:
> On Monday 12 September 2005 09:39, Jonsy (teleline) wrote:
> > - Not sure about how to submit pam_pkcs11-0.5.3.tar.gz to
> > "/files" directory
> right, about time I fix that. We have a "files" repository and
> now it also has content. so if you add your file to that svn
> directory and commit them, they will be placed in /files/ url.
> warning: a files checkout is ~ 50 MB (all opensc/ct/... releases
> ever).

Just commited

> > - How and where to submit md5/sha1 sums files. btw, your doc
> > only talks about gpg signatures...
> we have doc about gpg signatures? hu, where?

svn/web/trunk/USAGE-HOWTO.txt

> currently we don't use any MD5/sha1/gpg signature mechanism.
> but feel free to start an MD5SUMS file or whatever :)

Ok. I've submmited pam_pkcs11-0.5.3.tar.gz and pam_pkcs11-0.5.3.md5

[...]
> with opensc I have: trunk for 0.10.* development,
> branches/opensc-0.9 for 0.9.* maintenance,
> releases/opensc-0.9.X for releases.
> once the tar file is published the releases/
> directory is no longer touched.

OK. for me: just created branch and releases entries

I've also committed entries at svn/web/news/ and svn/web/LATEST.
and sent mail to opensc-announce.

Expect all to be OK

Thanks for all. Regards
Juan Antonio



_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: pam_pkcs11-0.5.3 released

Andreas Jellinghaus-2
On Monday 12 September 2005 12:44, Jonsy (teleline) wrote:
> I've also committed entries at svn/web/news/ and svn/web/LATEST.
> and sent mail to opensc-announce.

fine. with konqueror the right menu looks to short, I can't
read the pam_pkcs11 version number. but I can't find right now
where the length is set. maybe it is only a konqueror issue,
don't know.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel