Hello, as previously discussed it seems all stakeholders are pretty much in agreement that it would be better for debian to use the implementation of login tools from src:util-linux instead of from src:shadow. Investigations about implementation differences has been done and remaining work is basically to implement the switch. (Details in #833256)
As a preparation step for larger login package switch (which I'm not comitting to at the moment!), I'd like to start with switching only 'su' and moving it from 'login' (binary package) to 'util-linux' (binary package). This should also pave the way for potentially making login non-essential in the future. WIP on util-linux side: https://salsa.debian.org/debian/util-linux/commit/a2449f1a1bf0f77a80aa1f71871fa32b4d14d6f5 I don't feel entirely comfortable doing this security-sensitive work entirely on my own without peer review. I'm thus looking for people willing to review the security critical aspects, preferably PAM experts. Are you willing to help? Please contact me. Regards, Andreas Henriksson
