So, I realise that I posted about this quite some time ago, but I
think that we need to come up with a policy for how we decide
whether to support GSSAPI/krb5 auth in pkgs.  Given that the base
system supports kerberos and GSSAPI in every place where it makes
sense, I think that we should do the same in pkgsrc so as to not
violate least surprise.

Another thing to keep in mind is with cvs, if you install the pkg
then you lose GSSAPI support---but the support exists in the base
system.  Our OpenSSH pkg has the same problem, only worse because
it doesn't look like there is even a way to turn on this functionality
that is provided in the base system's OpenSSH.

This sort of thing makes the system much more difficult to use
because it violates least surprise.

So, as a first step towards enacting the policy I would suggest
that we change in pkgsrc/mk/bsd.pkg.defaults.mk:

#KERBEROS=
# Used in many packages to specify use of a Kerberos (or compatible)
# subsystem.  Requires Kerberos libraries in /usr/lib.
# Possible: defined, not defined
# Default: not defined

to something more like:

.if !defined(USE_KERBEROS)
.if defined(KERBEROS)
USE_KERBEROS=yes
.else
USE_KERBEROS=no
.endif
.if 

Since we .include bsd.own.mk before bsd.pkg.defaults.mk, on NetBSD
1.6 and beyond we should go into that code with USE_KERBEROS set.

Then we should transition the pkgs that use the older KERBEROS
variable to use the current USE_KERBEROS.  And try to keep in mind
that Kerberos support should be provided in new packages, package
upgrades, etc.

Comments?

Thanks,

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/