Re: Importing Heimdal 7.8.0

On 2024-02-05 15:17:00 (+0800), Emmanuel Vadot wrote:
> On Mon, 05 Feb 2024 14:20:34 +0800
> Philip Paeps <philip@freebsd.org> wrote:
>> On 2024-02-04 14:54:58 (+0800), Emmanuel Vadot wrote:
>>> On Sat, 3 Feb 2024 10:24:09 -0800
>>> Enji Cooper <yaneurabeya@gmail.com> wrote:
>>>>> On Feb 3, 2024, at 09:45, Piotr P. Stefaniak <pstef@freebsd.org>
>>>>> wrote:
>>>>> ?On 2024-01-31 15:31:38, Dag-Erling Smørgrav wrote:
>>>>>> Minsoo Choo <minsoochoo0122@proton.me> writes:
>>>>>>> I'm currently working on importing the latest version of 
>>>>>>> Heimdal,
>>>>>>
>>>>>> Please don't.
>>>>>
>>>>> why
>>>>
>>>> Cy is importing MIT kerberos. MIT is (in many cases) the defacto
>>>> flavor of kerberos.
>>>> Cheers,
>>>
>>>  Is changing kerberos flavor in 2024 really what we want ?
>>
>> We should ship a supported / maintained flavour of Kerberos.  MIT is 
>> the
>> best option.
>>
>>> People who are using base kdc will likekly migrate to ports version 
>>> of
>>> heimdal as database isn't compatible (unless something has changed 
>>> in
>>> the past 15 years I've used kerberos).
>>
>> That's certainly true.
>>
>>> I guess that kerberos is still used a bit at some Colleges or old
>>> corporation that haven't moved from it but is it relevant for us to
>>> still include kerberos in base ?
>>
>> The kdc is only one component of Kerberos.  While using Kerberos 
>> alone
>> is certainly increasingly niche, many organisations use it in
>> combination with LDAP (e.g. Microsoft Active Directory).
>>
>> We need the Kerberos libraries in the base system for GSSAPI.  It's 
>> more
>> effort not to include the kdc and the utilities (kinit, kadmin,
>> ktutil,...) than including them.
>
>  Is there a written proposal for this switch ?

Not that I'm aware of.  Kerberos is not a particularly active area of 
the tree.  Cy has been maintaining Heimdal and has volunteered to switch 
us over to MIT.  I don't think we need any more bureaucracy than that.

> I can't seems to understand how it's useful to not include the
> utilities in base (I understand for kdc).
> If I need kerberos to login in my env I would need to pkg install
> heimdal/mit so I might as well pkg install openssh-portable && pkg
> delete FreeBSD-openssh so I have a kerberos aware ssh.

Right.  I don't think it's useful to stop including the utilities in 
base.  I don't mind not including the daemons.

We need kinit (and probably ktutil) and GSSAPI for NFS too.

I don't have particularly strong feelings about Kerberos-aware OpenSSH.  
Since we have to ship the libraries anyway, we might as well use them.

Long-term, I would advocate for "privatising" the Kerberos libraries 
(similar to what we do with sqlite3, libxml, etc) to avoid conflicting 
with 3rd party libraries.  I have no idea how much work that would be.  
I don't think I'm interested in doing the work, and I'm hesitant to 
volunteer someone else's time to do the work. :-)

> Please be aware that we're pushing pkgbase use so we will have a lot
> more flexibility to have a tool installed or not.

Sure.  And I'm all for pkgbase. :-)

Philip