Bug 23440

Summary: Changelog 2016 says do not rely on tcb so I unconverted from tcb but pam upgrade requires it again !?
Product: Mageia Reporter: Dick Gevers <dvgevers>
Component: RPM PackagesAssignee: Base system maintainers <basesystem>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal CC: marja11, pterjan
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: pam-1.3.0-7.mga7, tcb-1.1-8.mga7 CVE:
Status comment:

Description Dick Gevers 2018-08-13 23:52:23 CEST 
Description of problem:

For years I had a tcb converted system based on suggestions of V.Danen until
Mageia's pam stopped this:

From pam changelog I quote:
* Sun Jul 31 2016 philippem <philippem> 1.3.0-3.mga6
+ Revision: 1044163
- add post to be sure to remove tcb and use sha512
...
* Thu Jul 28 2016 philippem <philippem> 1.3.0-2.mga6
+ Revision: 1043840
....
- don't rely on tcb, use sha512 mga#18930, mga#17504
+ tv <tv>
....
- kill commented out tcb obsoleting unix (dead since 2008)
unquote

So after the quoted changes I unconverted my systems from tcb and removed the *tcb* packages.

But yesterday the upgrade to pam-1.3.0-7 required the *tcb* packages again so they were pulled in by urpmi ("...--skip..." did not work).

But after this upgrade I could simply remove the *tcb* packages again with urpme.

The *tcb* packages are: tcb, pam_tcb, nss_tcb and lib64tcb0

I am not a dev, so shoot me if I am wrong, but the requirements for *tcb* seem superfluous if I can remove them immediately after upgrade. Please remove the need for *tcb* if you agree. Thanks.
Comment 1 Marja Van Waes 2018-08-16 13:05:55 CEST 
From bug #16467, comment #21 and bug #16467, comment #22 I understand that we switched to sha512 because it is easier to maintain...  it seems we were the only ones to use blowfish by default.

However, we _only_ switched for newly created users and new passwords, we never forced all Mageia-users to redo their blowfish passwords.

The reason that you can remove tcb, is that it is only required to install pam, but not to use pam. http://svnweb.mageia.org/packages/cauldron/pam/current/SPECS/pam.spec?revision=1251145&view=markup#l72

Is it possible, and _safe_, to remove it, if there are some lines starting with "$2a$" in /etc/shadow ?

Assignee: bugsquad => basesystem
CC: (none) => marja11, pterjan
Source RPM: pam-1.3.0-7.mga7 => pam-1.3.0-7.mga7, tcb-1.1-8.mga7
Summary: Changelog 2016 says do not rely on tcb so I unconverted from tcb but upgrade requires it again !? => Changelog 2016 says do not rely on tcb so I unconverted from tcb but pam upgrade requires it again !?