NEWS: Deprecate nss_hesiod

Message ID 87a6zp7yxd.fsf@oldenburg2.str.redhat.com
State New
Headers show
Series
  • NEWS: Deprecate nss_hesiod
Related show

Commit Message

Alistair Francis via Libc-alpha July 24, 2020, 2:47 p.m.
Storing user databases in DNS, without client-side DNSSEC validation,
is problematic from a security point of view.

---
 NEWS | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Alistair Francis via Libc-alpha July 24, 2020, 8:47 p.m. | #1
On 7/24/20 10:47 AM, Florian Weimer via Libc-alpha wrote:
> Storing user databases in DNS, without client-side DNSSEC validation,

> is problematic from a security point of view.


Hesiod could be handled as an external NSS module.

OK for 2.32.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

 
> ---

>  NEWS | 5 +++++

>  1 file changed, 5 insertions(+)

> 

> diff --git a/NEWS b/NEWS

> index 1ef4a0a7a4..83aed60e19 100644

> --- a/NEWS

> +++ b/NEWS

> @@ -147,6 +147,11 @@ Deprecated and removed features, and other changes affecting compatibility:

>    applications which use the malloc hooks must preload a special shared

>    object, to enable the hooks.

>  

> +* The hesiod NSS module has been deprecated and will be removed in a

> +  future version of glibc.  System administrators are encouraged to

> +  switch to other approaches for networked account databases, such as

> +  LDAP.

> +

>  Changes to build and runtime requirements:

>  

>  * powerpc64le requires GCC 7.4 or newer.  This is required for supporting

> 



-- 
Cheers,
Carlos.
Alistair Francis via Libc-alpha July 27, 2020, 6:17 a.m. | #2
* Carlos O'Donell:

> On 7/24/20 10:47 AM, Florian Weimer via Libc-alpha wrote:

>> Storing user databases in DNS, without client-side DNSSEC validation,

>> is problematic from a security point of view.

>

> Hesiod could be handled as an external NSS module.


Indeed, but we'll need a volunteer for that.

> OK for 2.32.

>

> Reviewed-by: Carlos O'Donell <carlos@redhat.com>


Thanks, I will give others a day or two to comment on these
deprecations, too.

Florian

Patch

diff --git a/NEWS b/NEWS
index 1ef4a0a7a4..83aed60e19 100644
--- a/NEWS
+++ b/NEWS
@@ -147,6 +147,11 @@  Deprecated and removed features, and other changes affecting compatibility:
   applications which use the malloc hooks must preload a special shared
   object, to enable the hooks.
 
+* The hesiod NSS module has been deprecated and will be removed in a
+  future version of glibc.  System administrators are encouraged to
+  switch to other approaches for networked account databases, such as
+  LDAP.
+
 Changes to build and runtime requirements:
 
 * powerpc64le requires GCC 7.4 or newer.  This is required for supporting