Well I am not going to go into the reasons why there has been no major update of CrackLib for several years – not yet, anyway, that’s a longer story perhaps for another occasion – but in any case Nathan Neulinger has done the proper Open Source thing and forged ahead on his own, and I support his display of gusto, initiative and zing:

To: [various notables]

Sorry for the wide mailing, wanted to make sure that everyone relevant got this info since I’ve pulled patches and pieces from all of you to do it. I’ve also included Alec Muffet in this mailing (and previously attempted contact as well) as a courtesy.

As near as I can tell, development on cracklib has mostly be stagnant except for distribution repackaging, with a large amount of duplication between the various distros. There are numerous reports of problems with cracklib segfaulting in various situations, as well as cases of projects like samba removing support due to the potential for crashes and lack of maintenance.

I happen to like the library and think it serves a very useful purpose. Before working to fix those bugs, I didn’t want to set up a situation where I’d send out a patch, and the status would stay the same with some distros getting the updates, but no ideal central place to release them or maintain the updated build. Because of this, it seemed like the best course of action would be to fork the library and start a new project, currently hosted on sourceforge.

This note is to let you know that a repackaged library is now available for initial testing. I’m currently calling in cracklib 3.0 with the test release being 3.0pre1.

Changes from the v2.7 releases:

• Integrated numerous patches from gentoo, fedora, redhat, mandrake, blfs distros

• Completely redid the build infrastructure to use auto* and libtool so there is now a nice standardized mechanism for building both static and shared lib versions.

• Put together some changes to correct the problems with the segfaults I was able to reproduce with certain passwords. (Basically should cover the various reports that have been made on the PAM mailing list, etc.)

• Put together a cleaner way of building the dictionaries based on some work done in the gentoo release.

A new script is installed ‘create-cracklib-dict’, along with renamed tools (the existing names were too generic IMHO) cracklib-packer, cracklib-unpacker, cracklib-format (does what mkdict used to do), and cracklib-check – which is a simple command line checker tool that some distros have included.

I also pulled together a sizable set of public domain and/or previously release crack/cracklib dictionaries to provide a large starter dictionary (distributed separately from the library since it won’t change much).

I’m looking for any possible feedback and indications of any interest from y’all, since you appear to be the main maintainers of the packages I’ve seen. Additionally, I’m looking for anyone who would be interested in joining the project on SF to merge in any of your updates that I have missed. (In particular, I have not done anything with the fedora 64 bit patch and haven’t included any of the package manager spec files/etc.)

Do y’all think that sticking with v3.0 makes sense? Also, since the shared library in this version is 100% compatible with the v2.7 release, would it make sense to start the library version out at 2.7.0 or 2.8 instead of a new major?

Big things still to do: integrate a spec file for easy rpm building (not my specialty)

Preliminary library package download: [prdownloads.sourceforge.net]

Large dictionary (the above package includes a small one to start off): [prdownloads.sourceforge.net]

Any feedback/thoughts would be appreciated greatly!