From nobody Mon Feb 05 07:40:27 2024
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TSywM4JxWz59PbL
	for <freebsd-arch@mlmmj.nyi.freebsd.org>; Mon,  5 Feb 2024 07:40:35 +0000 (UTC)
	(envelope-from philip@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TSywM3pY4z4M7G;
	Mon,  5 Feb 2024 07:40:35 +0000 (UTC)
	(envelope-from philip@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1707118835;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=/K2NlAwSeP24Q2VhJnPrhRi7i8uGOXy+p+hmIMOlE40=;
	b=XatZ3yv7mnPUkBUFkCUgI5BuAQtJ3DVNZACNbT12DsYbqVMROiOrCggbD1T0NSFDntOETf
	WqQ3m9xvk7ZxlL2ArC9JtNLwMAA7yE+qJPUo/FQxHD29PB1WchyZTNEZDptZWiMEWG73Iw
	th4MNcLh52kXAObD+TaoFu6/s4dYxu+k1gfgI6+iEhlBpyEy4oW7e+5cbi8ZOg416gpnjs
	9AcYaDWw4/OeJYa+izPqGLk1c6IV7yS199umcJAMwvNLEf27zXyAeM/Owczi5H9888TE5a
	BEGtntyE3Mat/pzdx5EkKlEJpc8KTPCOEK5MSu37es8q3RJusVRZacQI3AZBfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1707118835;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=/K2NlAwSeP24Q2VhJnPrhRi7i8uGOXy+p+hmIMOlE40=;
	b=NVN5FpknRwKnASOG0UTPesd00ffKbwjPpjL7xVcx6Vm18quElh7lO7Rx2zDFeGFXGheoAt
	bu4ane3RrEFKflB2avduhwrNy11ZG/n9BpNfx8+mtXFRamXqKjMeKQEOJqEa3DGIOCTa1X
	enN1rPpxk1ms2m8Hu0m1SNWxSYlnyITj4MGRlw9YXuEXo4TFoaHrzhKGaNExunMSAt4cZR
	Lb0IcRj7wuhlARHvQOJf3Hc/2YkMIIeXlwLgzLX/9sSI0uXmpAlwHeTZbUeXzfBWlFoSWd
	4iObuQ3Lxofd6L6RknF4G9VKsvo8umtkA8HKqYz7dy6NIhmOUBLlXVnVt2w6Gw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707118835; a=rsa-sha256; cv=none;
	b=v61+rL3WnD9oJZvBEi4QNeoUQfUjUBS5s5pzMFFoMCQDhR5FsSfHkEwJyCM73akBISg5F/
	YDd+PTLt8WZ+k9XUVxdk6Cao24+VLC9SWU8s+7zxq5T/+MKmh4x/oYyZpTtpoSL1+YQsG1
	MtWCVAFMmYE5ML1MT20Upk5MY/rk4knjSmPeqBvzrNDgnuWmzp04PdqlZKwikMiwb3edtO
	qkTCRzcvk5EZfn9681YiX672kkmnZnC+y6bxkjGszAITfFnHlCBBclqojpeXyOJgyQTbv3
	l7Clh1qauDevFxrAeKZLhcn5JTgu6TU5iWZEpt3++RSTitILoRKa3IxQc7Mvng==
Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com [66.111.4.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: philip/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4TSywM2Y8wz18qR;
	Mon,  5 Feb 2024 07:40:35 +0000 (UTC)
	(envelope-from philip@freebsd.org)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailauth.nyi.internal (Postfix) with ESMTP id 781EC27C0060;
	Mon,  5 Feb 2024 02:40:34 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
  by compute4.internal (MEProxy); Mon, 05 Feb 2024 02:40:34 -0500
X-ME-Sender: <xms:8pDAZVBDu6AUhPSL2mG8erUMOIqt1HMYDxMIfiM91P3lVXO5UejcLg>
    <xme:8pDAZTil62OOAub1FlrIiVJ33tRyoQX7yK5bbe7t9kx5Wql9px480YIIqSNNeH8Wy
    d5U6Ng-b-_sGsbUkck>
X-ME-Received: <xmr:8pDAZQkBxhgnSR94RY0xwHAT3k5KP9I7HMOg_XYa9tGLhCY5kBB2WWfAqnqWeIwV6ZtTb11DNo3a7J5o6dRcdri6_mr12sZhcA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfeduledgudduvdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd
    enucfjughrpefhvfevufffoffkjghfgggtgfesthekmhdtredtjeenucfhrhhomheprfhh
    ihhlihhpucfrrggvphhsuceophhhihhlihhpsehfrhgvvggsshgurdhorhhgqeenucggtf
    frrghtthgvrhhnpeekhefhledtveeiueekheetveeuffdvhfetkeekhedtveduffeiffev
    tedvudekvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh
    hmpehphhhilhhiphdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduieei
    vdeivdegkedqvdefhedukedttdekqdhphhhilhhipheppehfrhgvvggsshgurdhorhhgse
    htrhhouhgslhgvrdhish
X-ME-Proxy: <xmx:8pDAZfzya3i1xl6BIACoyEyKKqa9LUxDjPCS9fhLpnzWDZ6Z16tpIw>
    <xmx:8pDAZaSh2AYSbix6RvTibBd0W0a12K4UkousHvG8VY3eo-6GWQUu9g>
    <xmx:8pDAZSbHjEe4Y1z27A5xTa9TF6C2kWHSfobyryKoLFM3rUu_AprEGg>
    <xmx:8pDAZXKzzQI8g7wY11TJ0f9_YlETAFnTyTBiI1W-r6UQ8IDdMJtc1A>
Feedback-ID: ia691475d:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
 5 Feb 2024 02:40:32 -0500 (EST)
From: Philip Paeps <philip@freebsd.org>
To: Emmanuel Vadot <manu@bidouilliste.com>
Cc: Enji Cooper <yaneurabeya@gmail.com>,
 "\"Piotr P. Stefaniak\"" <pstef@freebsd.org>,
 =?utf-8?q?=22Dag-Erling_Sm=C3=B8rgrav=22?= <des@freebsd.org>,
 Minsoo Choo <minsoochoo0122@proton.me>, freebsd-arch@freebsd.org
Subject: Re: Importing Heimdal 7.8.0
Date: Mon, 05 Feb 2024 15:40:27 +0800
X-Mailer: MailMate (1.14r6016)
Message-ID: <798BA48F-D26E-4324-ADA6-B94667F5F3E1@freebsd.org>
In-Reply-To: <20240205081700.d0030024eb83f7ccbfd72b3e@bidouilliste.com>
References: <Zb57nFS1PUt2pGBw@freefall.freebsd.org>
 <7B302C8A-8A56-4840-B8D1-A01A3F9D765C@gmail.com>
 <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com>
 <74FEC455-1390-4759-9095-47B9EBA95A31@freebsd.org>
 <20240205081700.d0030024eb83f7ccbfd72b3e@bidouilliste.com>
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

On 2024-02-05 15:17:00 (+0800), Emmanuel Vadot wrote:
> On Mon, 05 Feb 2024 14:20:34 +0800
> Philip Paeps <philip@freebsd.org> wrote:
>> On 2024-02-04 14:54:58 (+0800), Emmanuel Vadot wrote:
>>> On Sat, 3 Feb 2024 10:24:09 -0800
>>> Enji Cooper <yaneurabeya@gmail.com> wrote:
>>>>> On Feb 3, 2024, at 09:45, Piotr P. Stefaniak <pstef@freebsd.org>
>>>>> wrote:
>>>>> ?On 2024-01-31 15:31:38, Dag-Erling Smørgrav wrote:
>>>>>> Minsoo Choo <minsoochoo0122@proton.me> writes:
>>>>>>> I'm currently working on importing the latest version of 
>>>>>>> Heimdal,
>>>>>>
>>>>>> Please don't.
>>>>>
>>>>> why
>>>>
>>>> Cy is importing MIT kerberos. MIT is (in many cases) the defacto
>>>> flavor of kerberos.
>>>> Cheers,
>>>
>>>  Is changing kerberos flavor in 2024 really what we want ?
>>
>> We should ship a supported / maintained flavour of Kerberos.  MIT is 
>> the
>> best option.
>>
>>> People who are using base kdc will likekly migrate to ports version 
>>> of
>>> heimdal as database isn't compatible (unless something has changed 
>>> in
>>> the past 15 years I've used kerberos).
>>
>> That's certainly true.
>>
>>> I guess that kerberos is still used a bit at some Colleges or old
>>> corporation that haven't moved from it but is it relevant for us to
>>> still include kerberos in base ?
>>
>> The kdc is only one component of Kerberos.  While using Kerberos 
>> alone
>> is certainly increasingly niche, many organisations use it in
>> combination with LDAP (e.g. Microsoft Active Directory).
>>
>> We need the Kerberos libraries in the base system for GSSAPI.  It's 
>> more
>> effort not to include the kdc and the utilities (kinit, kadmin,
>> ktutil,...) than including them.
>
>  Is there a written proposal for this switch ?

Not that I'm aware of.  Kerberos is not a particularly active area of 
the tree.  Cy has been maintaining Heimdal and has volunteered to switch 
us over to MIT.  I don't think we need any more bureaucracy than that.

> I can't seems to understand how it's useful to not include the
> utilities in base (I understand for kdc).
> If I need kerberos to login in my env I would need to pkg install
> heimdal/mit so I might as well pkg install openssh-portable && pkg
> delete FreeBSD-openssh so I have a kerberos aware ssh.

Right.  I don't think it's useful to stop including the utilities in 
base.  I don't mind not including the daemons.

We need kinit (and probably ktutil) and GSSAPI for NFS too.

I don't have particularly strong feelings about Kerberos-aware OpenSSH.  
Since we have to ship the libraries anyway, we might as well use them.

Long-term, I would advocate for "privatising" the Kerberos libraries 
(similar to what we do with sqlite3, libxml, etc) to avoid conflicting 
with 3rd party libraries.  I have no idea how much work that would be.  
I don't think I'm interested in doing the work, and I'm hesitant to 
volunteer someone else's time to do the work. :-)

> Please be aware that we're pushing pkgbase use so we will have a lot
> more flexibility to have a tool installed or not.

Sure.  And I'm all for pkgbase. :-)

Philip