Re: kerberos is the new sqlite: disable, force mit, or ?

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: kerberos is the new sqlite: disable, force mit, or ?
From: Taylor R Campbell <campbell+netbsd-tech-pkg%mumble.net@localhost>
Date: Wed, 4 Sep 2024 01:46:56 +0000

> Date: Tue, 03 Sep 2024 20:15:48 -0400
> From: Greg Troxel <gdt%lexort.com@localhost>
> 
> It turns out that pgsql16, rather than
> 
>   .  include "../../mk/krb5.buildlink3.mk"
> 
> has
> 
>   # This should be ../mk/krb5.buildlink3.mk. However, that may select
>   # security/heimdal as the Kerberos implementation, and it doesn't have
>   # gss_store_cred_into().
>   .  include "../../security/mit-krb5/buildlink3.mk"

FYI, gss_store_cred_into has been added to Heimdal, but it isn't out
in a release yet.

https://github.com/heimdal/heimdal/issues/451
https://github.com/heimdal/heimdal/commit/e0bb9c10cad0fd98245caecf8af8fca855b2df49

> I see multiple possible paths:
> 
>   1) Decide that with variant APIs, krb is messy, and few use it, so
>   disable gssapi by default in all packages.
> 
>   1A) Like 1, but disable it in most, especially curl.

It would be a pretty severe regression to remove what is almost
certainly the most widely deployed single-sign-on system on the
planet.  (Even TNF uses it internally, for web services.)

>   2) Decide that if even one package needs an API in mit-krb5 but not
>   heimdal, that krb5.buildlink3.mk should only allow mit-krb5.  Decide
>   that any base lib that includes any heimdal lib is not allowed as
>   builtin.  This is more or less what we did for sqlite3.
> 
>   3) Don't use base heimdal but patch in the new API to pkgsrc heimdal.
> 
>   4) Do nothing, leaving people who want to run qgis/postgis to do step
>   1 locally, and risking an increasing number of official binaries being
>   broken.

I don't think any of these answers is right.  Mixing gssapi
implementations is doomed to failure.  Instead, pkgsrc should have
some way to request krb5/gssapi extensions.  And if the implementation
chosen can't satisfy them, the package build should noisily fail.
Builders can change the _treewide_ krb5/gssapi implementation choice
in order to make this consistent.

For example, maybe something like:

GSSAPI_REQD+=	credstoreext
.include "../../mk/krb5.buildlink3.mk"

Follow-Ups:
- Re: kerberos is the new sqlite: disable, force mit, or ?
  - From: Greg Troxel
- Re: kerberos is the new sqlite: disable, force mit, or ?
  - From: nia

References:
- kerberos is the new sqlite: disable, force mit, or ?
  - From: Greg Troxel

Prev by Date: kerberos is the new sqlite: disable, force mit, or ?
Next by Date: Re: kerberos is the new sqlite: disable, force mit, or ?
Previous by Thread: kerberos is the new sqlite: disable, force mit, or ?
Next by Thread: Re: kerberos is the new sqlite: disable, force mit, or ?
Indexes:

Home | Main Index | Thread Index | Old Index