-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 29 Dec 2000 itojun@iijlab.net wrote:

>>>Added Files:
>>>	basesrc/usr.sbin/racoon: Makefile Makefile.inc
>>>	basesrc/usr.sbin/racoon/libpfkey: Makefile
>>>	basesrc/usr.sbin/racoon/racoon: Makefile
>>>Removed Files:
>>>	basesrc/sbin/racoon: Makefile Makefile.inc
>>>	basesrc/sbin/racoon/libpfkey: Makefile
>>>	basesrc/sbin/racoon/racoon: Makefile
>>>
>>>Log Message:
>>>move racoon build framework from sbin/racoon to usr.sbin/racoon.
>>
>>How does this affect hosts which mount /usr via NFS-over-IPSec?  Or is
>>racoon not usable that early in the boot process for other reasons?
>
>	as following note shows, we cannot use racoon to protect
>	NFS-over-IPsec mounted /usr.  it is unfortunate, but footprint is
>	rather big for static linkage (it has to link libcrypto as well as
>	kerberos libraries).  please use manual keys during bootstrap.

Hmm.  That's unfortunate -- it seems to me that in a shop with a large
number of hosts, especially one otherwise using the new Kerberos IKE
code, this could be a big management hassle.

On the other hand, I understand the difficulty in placing such a large
binary on / by default.  I wonder if it would be possible to set a
mk.conf variable to have usr.sbin/racoon built statically into /sbin?
It seems that even if not a good default, this should be available as an
option...

- --
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6S/fg2JhG4/qi8rQRAttjAJ9W58aZ6mK8h4YiCai2SIyZg2uIgQCfcHh8
tJyWFMbylwqDHEG6YN7m5Sc=
=Cv+D
-----END PGP SIGNATURE-----