Re: 2 Patches to security/krb5/builtin.mk

["Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>]

Am Wed, 12 May 2021 11:48:52 -0400
schrieb Greg Troxel <gdt%lexort.com@localhost>: 

> >  BUILTIN_FIND_HEADERS.H_MIT_KRB5=	kerberosv5/krb5.h
> > +.elif !empty(MACHINE_PLATFORM:MLinux-*)
> > +# Assuming mit-krb5 >= 1.5 on GNU/Linux.
> > +BUILTIN_FIND_HEADERS.H_MIT_KRB5=        krb5/krb5.h
> >  .else

Actually, is it sensible to only condition the krb5.h or krb5/krb5.h
decision on Linux/Darwin OS? Could one rewrite this to check for both?

Or rather, thinking a bit more … isn't

test $(/usr/bin/krb5-config --vendor) = Massachusetts Institute of Technology

better than grepping around in headers? Is that present in old
versions? Or the version output …

$ /data/pkg/bin/krb5-config --version
heimdal 1.5.3
$ /usr/bin/krb5-config --version
Kerberos 5 release 1.17

(Heimdal doesn't offer --vendor.)

It might be more the pkgsrc way to test for platform and use known
properties of those. But this falls flat when your check is just
‘Linux’ without any vintage attached. Using krb5-config would work
‘anywhere’.

But if we are going for minimal changes, at least any non-ancient linux
will have mit-krb5 version 1.5+ and so my patch works in practice and
is an improvement. But it doesn't feel entirely correct.

> > +.    if !empty(SH_KRB5_CONFIG:M/usr/lib/mit/*)
> > +BUILDLINK_PREFIX.mit-krb5=	/usr/lib/mit
> > +.    endif
> > +

> I would prefer that we not commit patches unless someone can explain why
> they are necessary and why they are correct. 

Yes. I will not do anything with that one on my own. For some reason I
have it named

	security-mit-kerb5-Zjperkin-prefix.patch

and so am trying to blame jperkin for it;-)


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg