Sign me up Login

Details about package libpam-tacplus

Name: libpam-tacplus (PTS)
Uploader: Pawel Krawczyk <p+debian@krvtz.net> (Debian QA page)
Description: libpam-tacplus - PAM module for using TACACS+ as an authentication service
libtac5 - TACACS+ protocol library
libtac5-bin - TACACS+ client program
libtac-dev - Development files for TACACS+ protocol library

Package uploads

Upload #3

Information

Version: 1.7.0-0.1
Uploaded: 2022-11-10 20:48
Source package: libpam-tacplus_1.7.0-0.1.dsc
Distribution: unstable
Section: admin
Priority: optional
Homepage: https://github.com/kravietz/pam_tacplus
Vcs-Git: https://github.com/kravietz/pam_tacplus.git
Vcs-Browser: https://github.com/kravietz/pam_tacplus
Closes bugs: #1009966

Changelog

 libpam-tacplus (1.7.0-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Improve Debian packaging - implement Lintian changes.
   * libtac: Refactored the complex and overengineered TACACS+ session
     id generation, replacing it with getrandom(2).
   * libtac: gnulib now provides implementation of missing functions.
   * libtac: Removed legacy MD5 code and replaced it with gnulib.
   * libtac: Legacy data structures such as attribute lists were replaced
     with gnulib structures.
   * libtac: CHAP implementation used a fixed challenge in contradiction
     with the RFC 1994 requirement. This was replaced with a pseudo-random
     challenge generated using getrandom(2).
   * libtac: ABI version set to 5:0:0. From now on, this is the only way to
     version the library. The legacy static variables tac_ver_ were removed
     as confusing.
   * pam_tacplus: Calling process PID is now used as the task_id attribute
     in TACACS+ accounting session. This replaces an overengineered
     cryptographically random tasks identifiers.
   * libtac: Fix CVE-2016-20014. Closes: #1009966

QA information

Comments

  1. Licensing in tests/ included in copyright file. Please note it's not a new package - it was removed from Debian due to a security vulnerability that was never ported to Debian by the current maintainer Jeroen who apparently is no longer active (I've contacted him without response). This release picks up the latest upstream version (which I also happen to maintain) and I'm offering to take over maintenance of this package.
    Pawel Krawczyk at Nov. 10, 2022, 8:53 p.m. 
  2. It is not a new SOURCE package but you have added new BINARY packages in debian/control. You have not explained in the changelog why there are now libtac-dev, libtac5, and libtac5-bin.
    Needs work Bastian Germann at Nov. 11, 2022, 5:09 p.m. 
  3. This is because library versions have been upgraded significantly since the libtac3 release - but the Debian package versions haven't been updated since. In the changelog it's documented in the "libtac: ABI version..." paragraph. If this is not recommended under Debian policy, I will revert to the existing naming convention.
    Pawel Krawczyk at Nov. 15, 2022, 6:52 a.m. 
  4. Where did you get the .xz archive from? Is it public? The watch file does not work (points to GH tags, not releases), so please do not touch it when not really fixing it.
    Needs work Bastian Germann at Dec. 1, 2022, 2:39 p.m.

Upload #2

Information

Version: 1.7.0-0.1
Uploaded: 2022-11-07 14:03
Source package: libpam-tacplus_1.7.0-0.1.dsc
Distribution: unstable
Section: admin
Priority: optional
Homepage: https://github.com/kravietz/pam_tacplus
Closes bugs: #1009966

Changelog

 libpam-tacplus (1.7.0-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Improve Debian packaging - implement Lintian changes.
   * libtac: Refactored the complex and overengineered TACACS+ session
     id generation, replacing it with getrandom(2).
   * libtac: gnulib now provides implementation of missing functions.
   * libtac: Removed legacy MD5 code and replaced it with gnulib.
   * libtac: Legacy data structures such as attribute lists were replaced
     with gnulib structures.
   * libtac: CHAP implementation used a fixed challenge in contradiction
     with the RFC 1994 requirement. This was replaced with a pseudo-random
     challenge generated using getrandom(2).
   * libtac: ABI version set to 5:0:0. From now on, this is the only way to
     version the library. The legacy static variables tac_ver_ were removed
     as confusing.
   * pam_tacplus: Calling process PID is now used as the task_id attribute
     in TACACS+ accounting session. This replaces an overengineered
     cryptographically random tasks identifiers.
   * libtac: Fix CVE-2016-20014. Closes: #1009966

QA information

Comments

  1. I think I've implemented all required changes now  Bastian, please have a look!
    Pawel Krawczyk at Nov. 7, 2022, 2:06 p.m. 
  2. What is the reason for introducing the new binary packages? This type of changes are normally outside a NMU scope but I would consider uploading with that change as long as it is justified in debian/changelog.

There are Expat-licensed files in test which are not represented in d/copyright as well as Darren Besler's copyright.
    Needs work Bastian Germann at Nov. 8, 2022, 3:54 p.m.

Upload #1

Information

Version: 1.7.0-1
Uploaded: 2022-11-01 11:18
Source package: libpam-tacplus_1.7.0-1.dsc
Distribution: unstable
Section: admin
Priority: optional
Homepage: https://github.com/kravietz/pam_tacplus
Closes bugs: #1009966

Changelog

 libpam-tacplus (1.7.0-1) unstable; urgency=medium
 .
   * libtac: Refactored the complex and overengineered TACACS+ session
     id generation, replacing it with getrandom(2).
   * libtac: gnulib now provides implementation of missing functions.
   * libtac: Removed legacy MD5 code and replaced it with gnulib.
   * libtac: Legacy data structures such as attribute lists were replaced
     with gnulib structures.
   * libtac: CHAP implementation used a fixed challenge in contradiction
     with the RFC 1994 requirement. This was replaced with a pseudo-random
     challenge generated using getrandom(2).
   * libtac: ABI version set to 5:0:0. From now on, this is the only way to
     version the library. The legacy static variables tac_ver_ were removed
     as confusing.
   * pam_tacplus: Calling process PID is now used as the task_id attribute
     in TACACS+ accounting session. This replaces an overengineered
     cryptographically random tasks identifiers.
   * libtac: Fix CVE-2016-20014. Closes: #1009966

QA information

Comments

  1. I've been gradually taking maintenance on the project back from Jeroen over the last few years and now I found time to refresh the Debian build and would like to become the package maintainer in Debian. As Jeroen has been difficult to get touch with recently, I'm following the MIA process per https://www.debian.org/doc/manuals/developers-reference/beyond-pkging.en.html#mia-qa
    Pawel Krawczyk at Nov. 1, 2022, 11:26 a.m. 
  2. MIA will take a very long time. If you want this to get into bookworm, please make this a Non-maintainer upload with a revision change to 1.7.0-0.1 and having "Non-maintainer upload" as first changelog entry. After some NMUs you can invoke the package salvaging process.
    Needs work Bastian Germann at Nov. 5, 2022, 9:30 p.m. 
  3. If you want me to sponsor this, please also convert the debian/copyright to the machine-readable format.
    Needs work Bastian Germann at Nov. 5, 2022, 9:30 p.m.