- Kerberos Version 5, Release 1.3
+ Kerberos Version 5, Release 1.8
- Release Notes
- The MIT Kerberos Team
+ Release Notes
+ The MIT Kerberos Team
Unpacking the Source Distribution
---------------------------------
The source distribution of Kerberos 5 comes in a gzipped tarfile,
-krb5-1.3.tar.gz. Instructions on how to extract the entire
+krb5-1.8.tar.gz. Instructions on how to extract the entire
distribution follow.
If you have the GNU tar program and gzip installed, you can simply do:
- gtar zxpf krb5-1.3.tar.gz
+ gtar zxpf krb5-1.8.tar.gz
If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:
- gzcat krb5-1.3.tar.gz | tar xpf -
+ gzcat krb5-1.8.tar.gz | tar xpf -
-Both of these methods will extract the sources into krb5-1.3/src and
-the documentation into krb5-1.3/doc.
+Both of these methods will extract the sources into krb5-1.8/src and
+the documentation into krb5-1.8/doc.
Building and Installing Kerberos 5
----------------------------------
and logging in as "guest" with password "guest".
-Notes, Major Changes, and Known Bugs for 1.3
---------------------------------------------
-
-* We now install the compile_et program, so other packages can use the
- installed com_err library with their own error tables. (If you use
- our com_err code, that is; see below.)
-
-* The header files we install now assume ANSI/ISO C ('89, not '99).
- We have stopped testing on SunOS 4, even with gcc. Some of our code
- now has C89-based assumptions, like free(NULL) being well defined,
- that will probably frustrate any attempts to run this code under SunOS
- 4 or other pre-C89 systems.
-
-* Some new code, bug fixes, and cleanup for IPv6 support. [[TODO:
- Insert list of (non-)supporting programs and libraries here.]]
-
-* We have upgraded to autoconf 2.52 (or later), and the syntax for
- specifying certain configuration options have changed. For example,
- autoconf 2.52 configure scripts let you specify command-line options
- like "configure CC=/some/path/foo-cc", so we have removed some of
- our old options like --with-cc in favor of this approach.
-
-* The client libraries can now use TCP to connect to the KDC. This
- may be necessary when talking to Microsoft KDCs (domain controllers),
- if they issue you tickets with lots of PAC data.
-
-* If you have versions of the com_err, ss, or Berkeley DB packages
- installed locally, you can use the --with-system-et,
- --with-system-ss, and --with-system-db configure options to use them
- rather than using the versions supplied here. Note that the
- interfaces are assumed to be similar to those we supply; in
- particular, some older, divergent versions of the com_err library
- may not work with the krb5 sources. Many configure-time variables
- can be used to help the compiler and linker find the installed
- packages; see the build documentation for details.
-
-Major changes listed by ticket ID
----------------------------------
-
-* [492] PRNG breakage on 64-bit platforms no longer an issue due to
- new PRNG implementation.
-
-* [523] Client library is now compatible with the RC4-based
- cryptosystem used by Windows 2000.
-
-* [709] krb4 long lifetime support has been implemented.
-
-* [880] krb5_gss_register_acceptor_identity() implemented (is called
- gsskrb5_register_acceptor_identity() by Heimdal).
-
-* [1156, 1209] It is now possible to use the system com_err to build
- this release.
-
-* [1174] TCP support added to client library.
-
-* [1175] TCP support added to the KDC, but is disabled by default.
-
-* [1176] autoconf-2.5x is now required by the build system.
-
-* [1184] It is now possible to use the system Berkeley/Sleepycat DB
- library to build this release.
-
-* [1189, 1251] The KfM krb4 library source base has been merged.
-
-* [1385, 1395, 1410] The krb4 protocol vulnerabilities
- [MITKRB5-SA-2003-004] have been worked around. Note that this will
- disable krb4 cross-realm functionality, as well as krb4 triple-DES
- functionality. Please see doc/krb4-xrealm.txt for details of the
- patch.
-
-* [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have
- been fixed.
-
-* [1397] The krb5_principal buffer bounds problems
- [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai.
-
-Minor changes listed by ticket ID
----------------------------------
-
-* [90] default_principal_flags documented.
-
-* [175] Docs refer to appropriate example domains/IPs now.
-
-* [433] --includedir honored now.
-
-* [479] unused argument in try_krb4() in login.c deleted.
-
-* [608] login.krb5 handles SIGHUP more sanely now and thus avoids
- getting the session into a weird state w.r.t. job control.
-
-* [620] krb4 encrypted rcp should work a little better now. Thanks to
- Greg Hudson.
-
-* [673] Weird echoing of admin password in kadmin client worked around
- by not using buffered stdio calls to read passwords.
-
-* [677] The build system has been reworked to allow the user to set
- CFLAGS, LDFLAGS, CPPFLAGS, etc. reasonably.
-
-* [680] Related to [673], rewrite krb5_prompter_posix() to no longer
- use longjmp(), thus avoiding some bugs relating to non-restoration
- of terminal settings.
-
-* [697] login.krb5 no longer zeroes out the terminal window size.
-
-* [710] decomp_ticket() in libkrb4 now looks up the local realm name
- more correctly. Thanks to Booker Bense.
-
-* [771] .rconf files are excluded from the release now.
-
-* [772] LOG_AUTHPRIV syslog facility is now usable for logging on
- systems that support it.
-
-* [844] krshd now syslogs using the LOG_AUTH facility.
-
-* [850] Berekely DB build is better integrated into the krb5 library
- build process.
-
-* [866] lib/krb5/os/localaddr.c and kdc/network.c use a common source
- for local address enumeration now.
-
-* [919] kdc/network.c problems relating to SIOCGIFCONF have been
- fixed.
-
-* [922] An overflow in the string-to-time conversion routines has been
- fixed.
-
-* [935] des-cbc-md4 now included in default enctypes.
-
-* [953] des3 no longer failing on Windows due to SHA1 implementation
- problems.
-
-* [970] A minor inconsistency in ccache.tex has been fixed.
-
-* [971] option parsing bugs rendered irrelevant by removal of unused
- gss mechanism.
-
-* [986] Related to [677], problems with the ordering of LDFLAGS
- initialization rendered irrelevant by use of native autoconf
- idioms.
-
-* [992] Related to [677], quirks with --with-cc no longer relevant as
- AC_PROG_CC is used instead now.
-
-* [999] kdc_default_options now honored in gss context initialization.
-
-* [1006] Client library, as well as KDC, now perform reasonable
- sorting of ETYPE-INFO preauthentication data.
-
-* [1055] NULL pointer dereferences in code calling
- krb5_change_password() have been fixed.
-
-* [1063] Initial credentials acquisition failures related to client
- host having a large number of local network interfaces should be
- fixed now.
-
-* [1064] krb5_auth_con_genaddrs() no longer inappropriately returns -1
- on some error cases.
-
-* [1065, 1225] krb5_get_init_creds_password() should properly warn about
- password expiration.
-
-* [1066] printf() argument mismatches in rpc unit tests fixed.
-
-* [1087] ftpd no longer requires channel bindings, allowing easier use
- of ftp from behind a NAT.
-
-* [1102] gssapi_generic.h should now work with C++.
-
-* [1164] krb5_auth_con_gen_addrs() now properly returns errno instead
- of -1 if getpeername() fails.
-
-* [1178, 1228, 1244, 1246, 1249] Test suite has been stabilized
- somewhat.
-
-* [1188] As part of the modernization of our usage of autoconf,
- AC_CONFIG_FILES is now used instead of passing a list of files to
- AC_OUTPUT.
-
-* [1194] configure will no longer recurse out of the top of the source
- tree when attempting to locate the top of the source tree.
-
-* [1195] Example krb5.conf file modified to include all enctypes
- supported by the release.
-
-* [1211] The ASN.1 code no longer passes (harmless) uninitialized
- values around.
-
-* [1212] libkadm5 now allows for persistent exclusive database locks.
-
-* [1217] krb5_read_password() and des_read_password() are now
- implemented via krb5_prompter_posix().
-
-* [1224] For SAM challenges, omitted optional strings are no longer
- encoded as zero-length strings.
-
-* [1226] Client-side support for SAM hardware-based preauth
- implemented.
-
-* [1232] If the master KDC cannot be resolved, but a slave is
- reachable, the client library now returns the real error from the
- slave rather than the resolution failure from the master. Thanks to
- Ben Cox.
-
-* [1234] Assigned numbers for SAM preauth have been corrected.
- sam-pk-for-sad implementation has been aligned.
-
-* [1237] Profile-sharing optimizations from KfM have been merged.
-
-* [1240] Windows calling conventions for krb5int_c_combine_keys() have
- been aligned.
-
-* [1256] Incorrect sizes passed to memset() in combine_keys()
- operations have been corrected.
-
-* [1260] Client credential lookup now gets new service tickets in
- preference to attempting to use expired ticketes. Thanks to Ben
- Cox.
-
-* [1284] kshd accepts connections by IPv6 now.
-
-* [1292] kvno manpage title fixed.
-
-* [1293] Source files no longer explicitly attempt to declare errno.
-
-* [1304] kadmind4 no longer leaves sa_flags uninitialized.
+DES transition
+--------------
-* [1309] krb5_send_tgs() no longer leaks the storage associated with
- the TGS-REQ.
+The Data Encryption Standard (DES) is widely recognized as weak. The
+krb5-1.7 release contains measures to encourage sites to migrate away
+from using single-DES cryptosystems. Among these is a configuration
+variable that enables "weak" enctypes, which defaults to "false"
+beginning with krb5-1.8.
-* [1310] kadm5_get_either() no longer leaks regexp library memory.
+Major changes in 1.8
+--------------------
-* [1311] Output from krb5-config no longer contains spurious uses of
- $(PURE).
+The krb5-1.8 release contains a large number of changes, featuring
+improvements in the following broad areas:
-* [1324] The KDC no longer logs an inappropriate "no matching key"
- error when an encrypted timestamp preauth password is incorrect.
+* Code quality
+* Modularity
+* Performance
+* End-user experience
+* Administrator experience
+* Protocol evolution
-* [1342] gawk is no longer required for building kerbsrc.zip for the
- Windows build.
+Code quality:
-* [1346] gss_krb5_ccache_name() no longer attempts to return a pointer
- to freed memory.
+* Move toward test-driven development -- new features have test code,
+ or at least written testing procedures.
-* [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately
- during GSSAPI context establishment.
+* Increase conformance to coding style
-* [1356] krb5_gss_accept_sec_context() no longer attempts to validate
- a null credential if one is passed in.
+ + "The great reindent"
-* [1362] The "-a user" option to telnetd now does the right thing.
- Thanks to Nathan Neulinger.
+ + Selective refactoring
-* [1363] ksu no longer inappropriately syslogs to stderr.
+Modularity:
-* [1357] krb__get_srvtab_name() no longer leaks memory.
+* Crypto modularity -- vendors can more easily substitute their own
+ crypto implementations, which might be hardware-accelerated or
+ validated to FIPS 140, for the builtin crypto implementation that
+ has historically shipped as part of MIT Kerberos. Currently, only
+ an OpenSSL provider is included, but others are possible.
-* [1373] Handling of SAM preauth no longer attempts to stuff a size_t
- into an unsigned int.
+* Move toward improved KDB interface
-* [1387] BIND versions later than 8 now supported.
+* Improved API for verifying and interrogating authorization data
-* [1392] The getaddrinfo() wrapper should work better on AIX.
+Performance:
-* [1400] If DO_TIME is not set in the auth_context, and no replay
- cache is available, no replay cache will be used.
+* Investigate and remedy repeatedly-reported performance bottlenecks.
-* [1406] libdb is no longer installed. If you installed
- krb5-1.3-alpha1, you should ensure that no spurious libdb is left in
- your install tree.
+* Encryption performance -- new crypto API with opaque key structures,
+ to allow for optimizations such as caching of derived keys
-* [1412] ETYPE_INFO handling no longer goes into an infinite loop.
+End-user experience:
-* [1414] libtelnet is now built using the same library build framework
- as the rest of the tree.
+* Reduce DNS dependence by implementing an interface that allows
+ client library to track whether a KDC supports service principal
+ referrals.
---[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ]--
+Administrator experience:
-* [1054] KRB-CRED messages for RC4 are encrypted now.
+* Disable DES by default -- this reduces security exposure from using
+ an increasingly insecure cipher.
-* [1177] krb5-1-2-2-branch merged onto trunk.
+* More versatile crypto configuration, to simplify migration away from
+ DES -- new configuration syntax to allow inclusion and exclusion of
+ specific algorithms relative to a default set.
-* [1193] Punted comment about reworking key storage architecture.
+* Account lockout for repeated login failures -- mitigates online
+ password guessing attacks, and helps with some enterprise regulatory
+ compliance.
-* [1208] install-headers target implemented.
+Protocol evolution:
-* [1223] asn1_decode_oid, asn1_encode_oid implemented
+* FAST enhancements -- preauthentication framework enhancements
-* [1276] Generated dependencies handle --without-krb4 properly now.
+* Microsoft Services for User (S4U) compatibility: S4U2Self, also
+ known as "protocol transition", allows for service to ask a KDC for
+ a ticket to themselves on behalf of a client authenticated via a
+ different means; S4U2Proxy allows a service to ask a KDC for a
+ ticket to another service on behalf of a client.
-* [1384, 1413] Use of autoconf-2.52 in util/reconf will now cause a
- warning.
+* Anonymous PKINIT -- allows the use of public-key cryptography to
+ anonymously authenticate to a realm
-* [1388] DNS support is turned on in KfM.
+krb5-1.8 changes by ticket ID
+-----------------------------
-* [1391] Fix kadmind startup failure with krb4 vuln patch.
+5468 delete kadmin v1 support
+6206 new API for storing extra per-principal data in ccache
+6434 krb5_cc_resolve() will crash if a null name param is provided
+6454 Make krb5_mkt_resolve error handling work
+6510 Restore limited support for static linking
+6539 Enctype list configuration enhancements
+6547 Modify kadm5 initializers to accept krb5 contexts
+6563 Implement s4u extensions
+6564 s4u extensions integration broke test suite...
+6565 HP-UX IA64 wrong endian
+6572 Implement GSS naming extensions and authdata verification
+6576 Implement new APIs to allow improved crypto performance
+6577 Account lockout for repeated login failures
+6578 Heimdal DB bridge plugin for KDC back end
+6580 Constrained delegation without PAC support
+6582 Memory leak in _kadm5_init_any introduced with ipropd
+6583 Unbundle applications into separate repository
+6586 libkrb5 support for non-blocking AS requests
+6590 allow testing even if name->addr->name mapping doesn't work
+6591 fix slow behavior on Mac OS X with link-local addresses
+6593 Remove dependency on /bin/csh in test suite
+6595 FAST (preauth framework) negotiation
+6597 Add GSS extensions to store credentials, generate random bits
+6605 PKINIT client should validate SAN for TGS, not service principal
+6606 allow testing when offline
+6607 anonymous PKINIT
+6616 Fix spelling and hyphen errors in man pages
+6618 Support optional creation of PID files for krb5kdc and kadmind
+6620 kdc_supported_enctypes does nothing; eradicate mentions thereof
+6621 disable weak crypto by default
-Copyright Notice and Legal Administrivia
-----------------------------------------
+Copyright and Other Legal Notices
+---------------------------------
-Copyright (C) 1985-2003 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.
All rights reserved.
for any purpose. It is provided "as is" without express or implied
warranty.
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright MIT, Cygnus Support,
-OpenVision, Oracle, Sun Soft, FundsXpress, and others.
+Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
+FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
-----
+ --------------------
+
+Portions of src/lib/crypto have the following copyright:
+
+ Copyright (C) 1998 by the FundsXpress, INC.
+
+ All rights reserved.
+
+ Export of this software from the United States of America may require
+ a specific license from the United States Government. It is the
+ responsibility of any person or organization contemplating export to
+ obtain such a license before exporting.
+
+ WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ distribute this software and its documentation for any purpose and
+ without fee is hereby granted, provided that the above copyright
+ notice appear in all copies and that both that copyright notice and
+ this permission notice appear in supporting documentation, and that
+ the name of FundsXpress. not be used in advertising or publicity pertaining
+ to distribution of the software without specific, written prior
+ permission. FundsXpress makes no representations about the suitability of
+ this software for any purpose. It is provided "as is" without express
+ or implied warranty.
+
+ THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+ IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+
+ --------------------
The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
of lib/rpc:
- Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
-
- WARNING: Retrieving the OpenVision Kerberos Administration system
- source code, as described below, indicates your acceptance of the
- following terms. If you do not agree to the following terms, do not
- retrieve the OpenVision Kerberos administration system.
-
- You may freely use and distribute the Source Code and Object Code
- compiled from it, with or without modification, but this Source
- Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
- INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
- FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
- EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
- FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
- CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
- WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
- CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
- OTHER REASON.
-
- OpenVision retains all copyrights in the donated Source Code. OpenVision
- also retains copyright to derivative works of the Source Code, whether
- created by OpenVision or by a third party. The OpenVision copyright
- notice must be preserved if derivative works are made based on the
- donated Source Code.
-
- OpenVision Technologies, Inc. has donated this Kerberos
- Administration system to MIT for inclusion in the standard
- Kerberos 5 distribution. This donation underscores our
- commitment to continuing Kerberos technology development
- and our gratitude for the valuable work which has been
- performed by MIT and the Kerberos community.
-
-----
-
- Portions contributed by Matt Crawford <crawdad@fnal.gov> were
- work performed at Fermi National Accelerator Laboratory, which is
- operated by Universities Research Association, Inc., under
- contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
-
----- The implementation of the Yarrow pseudo-random number generator
-in src/lib/crypto/yarrow has the following copyright:
-
-Copyright 2000 by Zero-Knowledge Systems, Inc.
-
-Permission to use, copy, modify, distribute, and sell this software
-and its documentation for any purpose is hereby granted without fee,
-provided that the above copyright notice appear in all copies and that
-both that copyright notice and this permission notice appear in
-supporting documentation, and that the name of Zero-Knowledge Systems,
-Inc. not be used in advertising or publicity pertaining to
-distribution of the software without specific, written prior
-permission. Zero-Knowledge Systems, Inc. makes no representations
-about the suitability of this software for any purpose. It is
-provided "as is" without express or implied warranty.
-
-ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
-THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
-FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
-ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
-OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
----- The implementation of the AES encryption algorithm in
+ Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
+
+ WARNING: Retrieving the OpenVision Kerberos Administration system
+ source code, as described below, indicates your acceptance of the
+ following terms. If you do not agree to the following terms, do not
+ retrieve the OpenVision Kerberos administration system.
+
+ You may freely use and distribute the Source Code and Object Code
+ compiled from it, with or without modification, but this Source
+ Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
+ INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
+ FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
+ EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
+ FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
+ CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
+ WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
+ CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
+ OTHER REASON.
+
+ OpenVision retains all copyrights in the donated Source Code. OpenVision
+ also retains copyright to derivative works of the Source Code, whether
+ created by OpenVision or by a third party. The OpenVision copyright
+ notice must be preserved if derivative works are made based on the
+ donated Source Code.
+
+ OpenVision Technologies, Inc. has donated this Kerberos
+ Administration system to MIT for inclusion in the standard
+ Kerberos 5 distribution. This donation underscores our
+ commitment to continuing Kerberos technology development
+ and our gratitude for the valuable work which has been
+ performed by MIT and the Kerberos community.
+
+ --------------------
+
+ Portions contributed by Matt Crawford <crawdad@fnal.gov> were
+ work performed at Fermi National Accelerator Laboratory, which is
+ operated by Universities Research Association, Inc., under
+ contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
+
+ --------------------
+
+The implementation of the Yarrow pseudo-random number generator in
+src/lib/crypto/yarrow has the following copyright:
+
+ Copyright 2000 by Zero-Knowledge Systems, Inc.
+
+ Permission to use, copy, modify, distribute, and sell this software
+ and its documentation for any purpose is hereby granted without fee,
+ provided that the above copyright notice appear in all copies and that
+ both that copyright notice and this permission notice appear in
+ supporting documentation, and that the name of Zero-Knowledge Systems,
+ Inc. not be used in advertising or publicity pertaining to
+ distribution of the software without specific, written prior
+ permission. Zero-Knowledge Systems, Inc. makes no representations
+ about the suitability of this software for any purpose. It is
+ provided "as is" without express or implied warranty.
+
+ ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
+ THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
+ ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
+ OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ --------------------
+
+The implementation of the AES encryption algorithm in
src/lib/crypto/aes has the following copyright:
- Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
- All rights reserved.
+ Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
+ All rights reserved.
+
+ LICENSE TERMS
+
+ The free distribution and use of this software in both source and binary
+ form is allowed (with or without changes) provided that:
+
+ 1. distributions of this source code include the above copyright
+ notice, this list of conditions and the following disclaimer;
+
+ 2. distributions in binary form include the above copyright
+ notice, this list of conditions and the following disclaimer
+ in the documentation and/or other associated materials;
+
+ 3. the copyright holder's name is not used to endorse products
+ built using this software without specific written permission.
+
+ DISCLAIMER
+
+ This software is provided 'as is' with no explcit or implied warranties
+ in respect of any properties, including, but not limited to, correctness
+ and fitness for purpose.
+
+ --------------------
+
+Portions contributed by Red Hat, including the pre-authentication
+plug-ins framework, contain the following copyright:
+
+ Copyright (c) 2006 Red Hat, Inc.
+ Portions copyright (c) 2006 Massachusetts Institute of Technology
+ All Rights Reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ * Neither the name of Red Hat, Inc., nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+ --------------------
+
+The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
+src/lib/gssapi, including the following files:
+
+ lib/gssapi/generic/gssapi_err_generic.et
+ lib/gssapi/mechglue/g_accept_sec_context.c
+ lib/gssapi/mechglue/g_acquire_cred.c
+ lib/gssapi/mechglue/g_canon_name.c
+ lib/gssapi/mechglue/g_compare_name.c
+ lib/gssapi/mechglue/g_context_time.c
+ lib/gssapi/mechglue/g_delete_sec_context.c
+ lib/gssapi/mechglue/g_dsp_name.c
+ lib/gssapi/mechglue/g_dsp_status.c
+ lib/gssapi/mechglue/g_dup_name.c
+ lib/gssapi/mechglue/g_exp_sec_context.c
+ lib/gssapi/mechglue/g_export_name.c
+ lib/gssapi/mechglue/g_glue.c
+ lib/gssapi/mechglue/g_imp_name.c
+ lib/gssapi/mechglue/g_imp_sec_context.c
+ lib/gssapi/mechglue/g_init_sec_context.c
+ lib/gssapi/mechglue/g_initialize.c
+ lib/gssapi/mechglue/g_inquire_context.c
+ lib/gssapi/mechglue/g_inquire_cred.c
+ lib/gssapi/mechglue/g_inquire_names.c
+ lib/gssapi/mechglue/g_process_context.c
+ lib/gssapi/mechglue/g_rel_buffer.c
+ lib/gssapi/mechglue/g_rel_cred.c
+ lib/gssapi/mechglue/g_rel_name.c
+ lib/gssapi/mechglue/g_rel_oid_set.c
+ lib/gssapi/mechglue/g_seal.c
+ lib/gssapi/mechglue/g_sign.c
+ lib/gssapi/mechglue/g_store_cred.c
+ lib/gssapi/mechglue/g_unseal.c
+ lib/gssapi/mechglue/g_userok.c
+ lib/gssapi/mechglue/g_utils.c
+ lib/gssapi/mechglue/g_verify.c
+ lib/gssapi/mechglue/gssd_pname_to_uid.c
+ lib/gssapi/mechglue/mglueP.h
+ lib/gssapi/mechglue/oid_ops.c
+ lib/gssapi/spnego/gssapiP_spnego.h
+ lib/gssapi/spnego/spnego_mech.c
+
+and the initial implementation of incremental propagation, including
+the following new or changed files:
+
+ include/iprop_hdr.h
+ kadmin/server/ipropd_svc.c
+ lib/kdb/iprop.x
+ lib/kdb/kdb_convert.c
+ lib/kdb/kdb_log.c
+ lib/kdb/kdb_log.h
+ lib/krb5/error_tables/kdb5_err.et
+ slave/kpropd_rpc.c
+ slave/kproplog.c
+
+and marked portions of the following files:
+
+ lib/krb5/os/hst_realm.c
+
+are subject to the following license:
+
+ Copyright (c) 2004 Sun Microsystems, Inc.
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+ --------------------
+
+MIT Kerberos includes documentation and software developed at the
+University of California at Berkeley, which includes this copyright
+notice:
+
+ Copyright (C) 1983 Regents of the University of California.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ 3. Neither the name of the University nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
+ --------------------
+
+Portions contributed by Novell, Inc., including the LDAP database
+backend, are subject to the following license:
+
+ Copyright (c) 2004-2005, Novell, Inc.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ * The copyright holder's name is not used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ --------------------
+
+Portions funded by Sandia National Laboratory and developed by the
+University of Michigan's Center for Information Technology
+Integration, including the PKINIT implementation, are subject to the
+following license:
+
+ COPYRIGHT (C) 2006-2007
+ THE REGENTS OF THE UNIVERSITY OF MICHIGAN
+ ALL RIGHTS RESERVED
+
+ Permission is granted to use, copy, create derivative works
+ and redistribute this software and such derivative works
+ for any purpose, so long as the name of The University of
+ Michigan is not used in any advertising or publicity
+ pertaining to the use of distribution of this software
+ without specific, written prior authorization. If the
+ above copyright notice or any other identification of the
+ University of Michigan is included in any copy of any
+ portion of this software, then the disclaimer below must
+ also be included.
+
+ THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGES.
+
+ --------------------
+
+The pkcs11.h file included in the PKINIT code has the following
+license:
+
+ Copyright 2006 g10 Code GmbH
+ Copyright 2006 Andreas Jellinghaus
+
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even
+ the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE.
+
+ --------------------
+
+Portions contributed by Apple Inc. are subject to the following license:
+
+Copyright 2004-2008 Apple Inc. All Rights Reserved.
+
+Export of this software from the United States of America may require
+a specific license from the United States Government. It is the
+responsibility of any person or organization contemplating export to
+obtain such a license before exporting.
+
+WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+distribute this software and its documentation for any purpose and
+without fee is hereby granted, provided that the above copyright
+notice appear in all copies and that both that copyright notice and
+this permission notice appear in supporting documentation, and that
+the name of Apple Inc. not be used in advertising or publicity pertaining
+to distribution of the software without specific, written prior
+permission. Apple Inc. makes no representations about the suitability of
+this software for any purpose. It is provided "as is" without express
+or implied warranty.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- LICENSE TERMS
+ --------------------
- The free distribution and use of this software in both source and binary
- form is allowed (with or without changes) provided that:
+The implementations of strlcpy and strlcat in
+src/util/support/strlcat.c have the following copyright and permission
+notice:
- 1. distributions of this source code include the above copyright
- notice, this list of conditions and the following disclaimer;
+Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
- 2. distributions in binary form include the above copyright
- notice, this list of conditions and the following disclaimer
- in the documentation and/or other associated materials;
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
- 3. the copyright holder's name is not used to endorse products
- built using this software without specific written permission.
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- DISCLAIMER
+ --------------------
- This software is provided 'as is' with no explcit or implied warranties
- in respect of any properties, including, but not limited to, correctness
- and fitness for purpose.
+The implementations of UTF-8 string handling in src/util/support and
+src/lib/krb5/unicode are subject to the following copyright and
+permission notice:
+The OpenLDAP Public License
+ Version 2.8, 17 August 2003
+Redistribution and use of this software and associated documentation
+("Software"), with or without modification, are permitted provided
+that the following conditions are met:
-Acknowledgements
-----------------
+1. Redistributions in source form must retain copyright statements
+ and notices,
-Appreciation Time!!!! There are far too many people to try to thank
-them all; many people have contributed to the development of Kerberos
-V5. This is only a partial listing....
+2. Redistributions in binary form must reproduce applicable copyright
+ statements and notices, this list of conditions, and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution, and
-Thanks to Paul Vixie and the Internet Software Consortium for funding
-the work of Barry Jaspan. This funding was invaluable for the OV
-administration server integration, as well as the 1.0 release
-preparation process.
+3. Redistributions must contain a verbatim copy of this document.
-Thanks to John Linn, Scott Foote, and all of the folks at OpenVision
-Technologies, Inc., who donated their administration server for use in
-the MIT release of Kerberos.
+The OpenLDAP Foundation may revise this license from time to time.
+Each revision is distinguished by a version number. You may use
+this Software under terms of this license revision or under the
+terms of any subsequent revision of the license.
-Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken
-Raeburn, and all of the folks at Cygnus Support, who provided
-innumerable bug fixes and portability enhancements to the Kerberos V5
-tree. Thanks especially to Jeff Bigler, for the new user and system
-administrator's documentation.
+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
+CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
+SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
+OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
-Thanks to Doug Engert from ANL for providing many bug fixes, as well
-as testing to ensure DCE interoperability.
+The names of the authors and copyright holders must not be used in
+advertising or otherwise to promote the sale, use or other dealing
+in this Software without specific, written prior permission. Title
+to copyright in this Software shall at all times remain with copyright
+holders.
+
+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
+
+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
+California, USA. All Rights Reserved. Permission to copy and
+distribute verbatim copies of this document is granted.
+
+ --------------------
+
+Marked test programs in src/lib/krb5/krb have the following copyright:
+
+Copyright (c) 2006 Kungliga Tekniska Högskolan
+(Royal Institute of Technology, Stockholm, Sweden).
+All rights reserved.
-Thanks to Ken Hornstein at NRL for providing many bug fixes and
-suggestions, and for working on SAM preauthentication.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
-Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
-Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
-their many suggestions and bug fixes.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
-Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
-providing patches for numerous buffer overruns.
+3. Neither the name of KTH nor the names of its contributors may be
+ used to endorse or promote products derived from this software without
+ specific prior written permission.
-Thanks to Christopher Thompson and Marcus Watts for discovering the
-ftpd security bug.
+THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
+EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-Thanks to Paul Nelson of Thursby Software Systems for implementing the
-Microsoft set password protocol.
+Acknowledgements for krb5-1.8
+-----------------------------
Thanks to the members of the Kerberos V5 development team at MIT, both
-past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, Mitch
-Berger, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt
-Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav
-Jurisic, Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott
-McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris
-Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad
-Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.
+past and present: Danilo Almeida, Jeffrey Altman, Justin Anderson,
+Richard Basch, Jay Berkenbilt, Mitch Berger, Andrew Boardman, Joe
+Calzaretta, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman,
+Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus,
+Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
+Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
+Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
+Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna
+Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.