Re: August 2025 stabilization week

Reply: Gleb Smirnoff : "Re: August 2025 stabilization week"
Reply: Rick Macklem : "Re: August 2025 stabilization week"
In reply to: Kyle Evans : "Re: August 2025 stabilization week"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rick Macklem <rick.macklem_at_gmail.com>
Date: Mon, 25 Aug 2025 20:27:47 UTC

On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <kevans@freebsd.org> wrote:
>
> CAUTION: This email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to IThelp@uoguelph.ca.
>
> On 8/25/25 07:53, Gleb Smirnoff wrote:
> >    Hi,
> >
> > On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote:
> > T> This is an automated email to inform you that the August 2025 stabilization week
> > T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which was tagged as
> > T> main-stabweek-2025-Aug.
> >
> > This stabilization cycle is expected to be more bumpy than usually.
> >
> > 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that the legacy
> > provider is broken.
I believe that KTLS support isn't yet enabled for it?
(If so, NFS over TLS wo't work.)

> >
> > 2) The default Kerberos now is MIT.  We have already checked that a Kerberized
> > NFS client can migrate from Heimdal to MIT.  We did not check Kerberized NFS
> > server, but should be fine.
I tested the server a couple of days ago and it was fine.

>  There is no yet an official way to migrate kdc
> > from Heimdal to MIT.
Yea. One possibility is to install Heimdal-7.8 from ports/packages and then
use it to dump the KDC's database in MIT format. (Although Cy seemed to
find it didn't work, doing this with the "--decrypt" option might retain the
passwords.)

I'll give this a try and report back if it worked for me.

rick

>  So, if you are upgrading a machine that is kdc, you need
> > WITHOUT_MITKRB5="yes" in your src.conf.
> >
> > 3) The official pkg repo is now almost empty, see email from Colin [1]. So, do
> > not rush with 'make delete-old-libs', unless you are ready to build a lot of
> > packages yourself.
> >
> > 4) The unfortunate coincidence with 3) is ABI breakage in the
> > setgroups(2)/getgroups(2) syscalls compared to the July stabilization point.
> > Some packages would dump core.  These packages need to be rebuilt.
> >
>
> This should be mitigated if you have COMPAT_FREEBSD14 enabled?  Old packages would
> reference the old compat symbol versions in libc, which should use the COMPAT_FREEBSD14
> variants of setgroups/getgroups.  If you have a pointer to scenarios where that isn't
> the case, that'd be helpful- old packages should be fine in the GENERIC case.
>
> Thanks,
>
> Kyle Evans