Re: [Opensc-devel] [Pcsclite-muscle] Pam-pkcs#11 needs a new maintainer(s) soon, or it will die

[David W. <dw...@in...>]

On Thu, 2016-06-30 at 11:41 +0200, Nikos Mavrogiannopoulos wrote:
> On Thu, 2016-06-30 at 09:51 +0200, Ludovic Rousseau wrote:
> 
> > A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl
> > 1.1.0"
> > FTBFS is Fails To Build From Source.
> > When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be
> > removed from Debian, unless someone adds support of the new OpenSSL
> > API.
> > 
> > If you (or your company) use pam-pkcs11 you should worry about the
> > situation.
> > 
> > RedHat provides [4] pam-pkcs11 to its customers. It could be a good
> > idea for RedHat to invest some R&D time to take maintenance of the
> > software to keep its (paying) customers happy.
> 
> Note that in Red Hat we use pam-pkcs11 with NSS and not openssl. That
> option (to my knowledge) seems to work even today.

FSVO "seems to work" which I wouldn't necessarily advocate because it
doesn't actually comply with that distribution's own packaging
guidelines — it doesn't load the correct modules according to the
system's PKCS#11 configuration. Hence
https://bugzilla.redhat.com/show_bug.cgi?id=1173548

Like many packages in Fedora, we should probably move *away* from NSS
unless it gets fixed to comply with the distribution's guidelines.

I have a GSoC student working on supporting RFC7512 URIs in NSS this
year, but not a lot of progress on loading the correct tokens by
default.

-- 
David Woodhouse                            Open Source Technology Centre
Dav...@in...                              Intel Corporation