On 2016-05-10, Theo de Raadt <[email protected]> wrote: >> It's still relatively young and the clients are improving. > > I actually don't think they are improving. > > I don't see any with priviledge seperation, nor any which could > plausibly be pledged.
For months there wasn't anything other than the official client. After the service started operating and showed itself to not be vapourware people started writing their own, but obviously the ones that were ready to share early were mostly quick hacks. It's not priviledge-separated (though like most of them can be run as an unpriviledged user given a little thought), but there's one written in go (acmetool) which seems cleaner than most. (Pity it's in a language with an annoying-to-build/package ecosystem but at least it's not another one in unportable bash...) I'd be happy to be proved wrong but I don't think we're very likely to see privsep unless it comes from someone familiar with OpenBSD. I don't know why but very few seem to use these techniques.
