From nobody Mon Feb 5 06:20:34 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TSx876lfyz59H9Z for ; Mon, 5 Feb 2024 06:20:39 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TSx874zMPz4Fmr; Mon, 5 Feb 2024 06:20:39 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707114039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JU6slkj8ZSjP0awRBxORD8zyC0sITnVcmqA+AhPDBio=; b=HWdKKP6D9Ax1n283u08PgnR+2dncrixUJXSx5SB45dHMdZsFr1oxRepyOnQaZl9UGAJyUh +IrcxNCT9gjLNMBMfH5+Wf9VHbTEY+zrnOtqs7JRpL/fIAU9+MSufqDmYjqcr7DhRMG5ki eS0NKXuH9TJ/d04f968dpFgi/zogI9+0V2TcUlsguz/AW7zxMuYoObeBqu3fy5lggVq5dU ZOTDiZPrnTRzki9MW4jxEum2FC/hg5baBwx4wcKu3Aq65kOm0VGBYb/XfmIsK772T6eoWf JpkF0CqmdjSSi0dNFhJ6nYBqwwBgE2/nqoEKKML67gD/bPHPQEOL4qAZO7F1lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707114039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JU6slkj8ZSjP0awRBxORD8zyC0sITnVcmqA+AhPDBio=; b=DQw5cdT1VxmGRnSC3LnM0Uwxtd3xjptiIaksICi+jBHTZLYjO663R6kH6d0UzUtQKuxSHB j+FJ3HeLLzJuTokf5T+84z61DzNwPiuldGmt03yHBUQRnT26LAy9Dx550GQV4OqYnxpBER Uzz8HYHT6rFAbzSwioKjqes29VWtb1467KTDYNR62uVQ4F9McsnvaAF7+Qg+AE6mnOBHD3 Dn11kUZvBxQv0mcIMwwTyoEFZSs7r8XgiKRN8iTT7IqAGQU9rqyZ1pJm6uk71VF8cNW9CC +J5VPnObS2jTsuN7xqPS0f58mawaURqFDhJsadEG4vKzwuyXsgHP0dRd1KTmSg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707114039; a=rsa-sha256; cv=none; b=Kb/mDbFNc9EtfpRWwx8qM+/3Bt/cKrYIhRFfb8RduKUxhj7MHAqbBiUDm6TSAHTowpKhxC tUlrLgMFgn/qVI5nwG3jiPWZ8Y9jRGTifJ679qyu+LWRhueaZvay7rKx9y2XSB9nSDpbzD zYt22F81GgoT406WGKlVF238ayp+8n9PZfbUPdc3quYCyEjxMg3OT+nJZY6PemrffR5GKW 2wVjvOiSp6f34aSIsLP+rsFY60q1QrECRSZRz/G9JukQkhLgwXeEAjkE/+tyNZzKguG5Gt hyznuQRQ3X3DHgoxWLdja5gzrBFBX5ZZ5Wqjb82gcgI5bYAUskREjJlwHi9J5A== Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com [66.111.4.227]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4TSx873sdqz18Zr; Mon, 5 Feb 2024 06:20:39 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailauth.nyi.internal (Postfix) with ESMTP id 39FDC27C0061; Mon, 5 Feb 2024 01:20:39 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Mon, 05 Feb 2024 01:20:39 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfeduledgleegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefufffokfgjfhggtgfgsehtkehmtdertdejnecuhfhrohhmpefrhhhi lhhiphcurfgrvghpshcuoehphhhilhhiphesfhhrvggvsghsugdrohhrgheqnecuggftrf grthhtvghrnhepkeehhfeltdevieeukeehteevueffvdfhteekkeehtdevudffieffveet vddukedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epphhhihhlihhpodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudeiiedv iedvgeekqddvfeehudektddtkedqphhhihhlihhppeepfhhrvggvsghsugdrohhrghesth hrohhusghlvgdrihhs X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 5 Feb 2024 01:20:37 -0500 (EST) From: Philip Paeps To: Emmanuel Vadot Cc: Enji Cooper , "\"Piotr P. Stefaniak\"" , =?utf-8?q?=22Dag-Erling_Sm=C3=B8rgrav=22?= , Minsoo Choo , freebsd-arch@freebsd.org Subject: Re: Importing Heimdal 7.8.0 Date: Mon, 05 Feb 2024 14:20:34 +0800 X-Mailer: MailMate (1.14r6016) Message-ID: <74FEC455-1390-4759-9095-47B9EBA95A31@freebsd.org> In-Reply-To: <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com> References: <7B302C8A-8A56-4840-B8D1-A01A3F9D765C@gmail.com> <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 2024-02-04 14:54:58 (+0800), Emmanuel Vadot wrote: > On Sat, 3 Feb 2024 10:24:09 -0800 > Enji Cooper wrote: >>> On Feb 3, 2024, at 09:45, Piotr P. Stefaniak >>> wrote: >>> ?On 2024-01-31 15:31:38, Dag-Erling Smørgrav wrote: >>>> Minsoo Choo writes: >>>>> I'm currently working on importing the latest version of Heimdal, >>>> >>>> Please don't. >>> >>> why >> >> Cy is importing MIT kerberos. MIT is (in many cases) the defacto >> flavor of kerberos. >> Cheers, > > Is changing kerberos flavor in 2024 really what we want ? We should ship a supported / maintained flavour of Kerberos. MIT is the best option. > People who are using base kdc will likekly migrate to ports version of > heimdal as database isn't compatible (unless something has changed in > the past 15 years I've used kerberos). That's certainly true. > I guess that kerberos is still used a bit at some Colleges or old > corporation that haven't moved from it but is it relevant for us to > still include kerberos in base ? The kdc is only one component of Kerberos. While using Kerberos alone is certainly increasingly niche, many organisations use it in combination with LDAP (e.g. Microsoft Active Directory). We need the Kerberos libraries in the base system for GSSAPI. It's more effort not to include the kdc and the utilities (kinit, kadmin, ktutil,...) than including them. > OpenSSH-portable/curl and anything else in ports could be moved to use > MIT/Heimdal from ports (based on some options and/or subpackages if > that is possible). OpenSSH in base still needs to support GSSAPI. Philip From nobody Mon Feb 5 07:17:00 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TSyPN5Qd1z59Mt6 for ; Mon, 5 Feb 2024 07:17:12 +0000 (UTC) (envelope-from manu@bidouilliste.com) Received: from mx.blih.net (mx.blih.net [212.83.155.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4TSyPM64wBz4KPL; Mon, 5 Feb 2024 07:17:11 +0000 (UTC) (envelope-from manu@bidouilliste.com) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bidouilliste.com; s=mx; t=1707117424; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=u0SFjPAyfVpe9kRPE2AIGR9cyXUfWDsE5D2M1BNt4TA=; b=LHVW2Bg0tHgZ/nvrrDUDqHHIiR9DOUfuu60I51Kl2ZrA5lpqQ0n6DpmhuQf3urOFeH5gTv /rVUiHXdm1DApqtUAGU5/G7QEQtKIwdLRKT9esVKRRLKXwS9njL2KIA4WyIUA08YyTvHTO iEk7a5tYhDpm5IPBgNfTZHaTcicjAAE= Received: from skull.home.blih.net (lfbn-lyo-1-2174-135.w90-66.abo.wanadoo.fr [90.66.97.135]) by mx.blih.net (OpenSMTPD) with ESMTPSA id f51ff7f1 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 5 Feb 2024 07:17:04 +0000 (UTC) Date: Mon, 5 Feb 2024 08:17:00 +0100 From: Emmanuel Vadot To: Philip Paeps Cc: Enji Cooper , "\"Piotr P. Stefaniak\"" , =?ISO-8859-1?Q?"Dag-Erling_Sm=F8rgrav"?= , Minsoo Choo , freebsd-arch@freebsd.org Subject: Re: Importing Heimdal 7.8.0 Message-Id: <20240205081700.d0030024eb83f7ccbfd72b3e@bidouilliste.com> In-Reply-To: <74FEC455-1390-4759-9095-47B9EBA95A31@freebsd.org> References: <7B302C8A-8A56-4840-B8D1-A01A3F9D765C@gmail.com> <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com> <74FEC455-1390-4759-9095-47B9EBA95A31@freebsd.org> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4TSyPM64wBz4KPL X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:12876, ipnet:212.83.128.0/19, country:FR] On Mon, 05 Feb 2024 14:20:34 +0800 Philip Paeps wrote: > On 2024-02-04 14:54:58 (+0800), Emmanuel Vadot wrote: > > On Sat, 3 Feb 2024 10:24:09 -0800 > > Enji Cooper wrote: > >>> On Feb 3, 2024, at 09:45, Piotr P. Stefaniak =20 > >>> wrote: > >>> ?On 2024-01-31 15:31:38, Dag-Erling Sm=F8rgrav wrote: > >>>> Minsoo Choo writes: > >>>>> I'm currently working on importing the latest version of Heimdal, > >>>> > >>>> Please don't. > >>> > >>> why > >> > >> Cy is importing MIT kerberos. MIT is (in many cases) the defacto=20 > >> flavor of kerberos. > >> Cheers, > > > > Is changing kerberos flavor in 2024 really what we want ? >=20 > We should ship a supported / maintained flavour of Kerberos. MIT is the= =20 > best option. >=20 > > People who are using base kdc will likekly migrate to ports version of > > heimdal as database isn't compatible (unless something has changed in > > the past 15 years I've used kerberos). >=20 > That's certainly true. >=20 > > I guess that kerberos is still used a bit at some Colleges or old > > corporation that haven't moved from it but is it relevant for us to > > still include kerberos in base ? >=20 > The kdc is only one component of Kerberos. While using Kerberos alone=20 > is certainly increasingly niche, many organisations use it in=20 > combination with LDAP (e.g. Microsoft Active Directory). >=20 > We need the Kerberos libraries in the base system for GSSAPI. It's more= =20 > effort not to include the kdc and the utilities (kinit, kadmin,=20 > ktutil,...) than including them. Is there a written proposal for this switch ? I can't seems to understand how it's useful to not include the utilities in base (I understand for kdc). If I need kerberos to login in my env I would need to pkg install heimdal/mit so I might as well pkg install openssh-portable && pkg delete FreeBSD-openssh so I have a kerberos aware ssh. Please be aware that we're pushing pkgbase use so we will have a lot more flexibility to have a tool installed or not. > > OpenSSH-portable/curl and anything else in ports could be moved to use > > MIT/Heimdal from ports (based on some options and/or subpackages if > > that is possible). >=20 > OpenSSH in base still needs to support GSSAPI. >=20 > Philip >=20 --=20 Emmanuel Vadot From nobody Mon Feb 5 07:40:27 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TSywM4JxWz59PbL for ; Mon, 5 Feb 2024 07:40:35 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TSywM3pY4z4M7G; Mon, 5 Feb 2024 07:40:35 +0000 (UTC) (envelope-from philip@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707118835; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/K2NlAwSeP24Q2VhJnPrhRi7i8uGOXy+p+hmIMOlE40=; b=XatZ3yv7mnPUkBUFkCUgI5BuAQtJ3DVNZACNbT12DsYbqVMROiOrCggbD1T0NSFDntOETf WqQ3m9xvk7ZxlL2ArC9JtNLwMAA7yE+qJPUo/FQxHD29PB1WchyZTNEZDptZWiMEWG73Iw th4MNcLh52kXAObD+TaoFu6/s4dYxu+k1gfgI6+iEhlBpyEy4oW7e+5cbi8ZOg416gpnjs 9AcYaDWw4/OeJYa+izPqGLk1c6IV7yS199umcJAMwvNLEf27zXyAeM/Owczi5H9888TE5a BEGtntyE3Mat/pzdx5EkKlEJpc8KTPCOEK5MSu37es8q3RJusVRZacQI3AZBfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707118835; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/K2NlAwSeP24Q2VhJnPrhRi7i8uGOXy+p+hmIMOlE40=; b=NVN5FpknRwKnASOG0UTPesd00ffKbwjPpjL7xVcx6Vm18quElh7lO7Rx2zDFeGFXGheoAt bu4ane3RrEFKflB2avduhwrNy11ZG/n9BpNfx8+mtXFRamXqKjMeKQEOJqEa3DGIOCTa1X enN1rPpxk1ms2m8Hu0m1SNWxSYlnyITj4MGRlw9YXuEXo4TFoaHrzhKGaNExunMSAt4cZR Lb0IcRj7wuhlARHvQOJf3Hc/2YkMIIeXlwLgzLX/9sSI0uXmpAlwHeTZbUeXzfBWlFoSWd 4iObuQ3Lxofd6L6RknF4G9VKsvo8umtkA8HKqYz7dy6NIhmOUBLlXVnVt2w6Gw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707118835; a=rsa-sha256; cv=none; b=v61+rL3WnD9oJZvBEi4QNeoUQfUjUBS5s5pzMFFoMCQDhR5FsSfHkEwJyCM73akBISg5F/ YDd+PTLt8WZ+k9XUVxdk6Cao24+VLC9SWU8s+7zxq5T/+MKmh4x/oYyZpTtpoSL1+YQsG1 MtWCVAFMmYE5ML1MT20Upk5MY/rk4knjSmPeqBvzrNDgnuWmzp04PdqlZKwikMiwb3edtO qkTCRzcvk5EZfn9681YiX672kkmnZnC+y6bxkjGszAITfFnHlCBBclqojpeXyOJgyQTbv3 l7Clh1qauDevFxrAeKZLhcn5JTgu6TU5iWZEpt3++RSTitILoRKa3IxQc7Mvng== Received: from auth2-smtp.messagingengine.com (auth2-smtp.messagingengine.com [66.111.4.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: philip/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4TSywM2Y8wz18qR; Mon, 5 Feb 2024 07:40:35 +0000 (UTC) (envelope-from philip@freebsd.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailauth.nyi.internal (Postfix) with ESMTP id 781EC27C0060; Mon, 5 Feb 2024 02:40:34 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 05 Feb 2024 02:40:34 -0500 X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrfeduledgudduvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefhvfevufffoffkjghfgggtgfesthekmhdtredtjeenucfhrhhomheprfhh ihhlihhpucfrrggvphhsuceophhhihhlihhpsehfrhgvvggsshgurdhorhhgqeenucggtf frrghtthgvrhhnpeekhefhledtveeiueekheetveeuffdvhfetkeekhedtveduffeiffev tedvudekvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehphhhilhhiphdomhgvshhmthhprghuthhhphgvrhhsohhnrghlihhthidqudduieei vdeivdegkedqvdefhedukedttdekqdhphhhilhhipheppehfrhgvvggsshgurdhorhhgse htrhhouhgslhgvrdhish X-ME-Proxy: Feedback-ID: ia691475d:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 5 Feb 2024 02:40:32 -0500 (EST) From: Philip Paeps To: Emmanuel Vadot Cc: Enji Cooper , "\"Piotr P. Stefaniak\"" , =?utf-8?q?=22Dag-Erling_Sm=C3=B8rgrav=22?= , Minsoo Choo , freebsd-arch@freebsd.org Subject: Re: Importing Heimdal 7.8.0 Date: Mon, 05 Feb 2024 15:40:27 +0800 X-Mailer: MailMate (1.14r6016) Message-ID: <798BA48F-D26E-4324-ADA6-B94667F5F3E1@freebsd.org> In-Reply-To: <20240205081700.d0030024eb83f7ccbfd72b3e@bidouilliste.com> References: <7B302C8A-8A56-4840-B8D1-A01A3F9D765C@gmail.com> <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com> <74FEC455-1390-4759-9095-47B9EBA95A31@freebsd.org> <20240205081700.d0030024eb83f7ccbfd72b3e@bidouilliste.com> List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 2024-02-05 15:17:00 (+0800), Emmanuel Vadot wrote: > On Mon, 05 Feb 2024 14:20:34 +0800 > Philip Paeps wrote: >> On 2024-02-04 14:54:58 (+0800), Emmanuel Vadot wrote: >>> On Sat, 3 Feb 2024 10:24:09 -0800 >>> Enji Cooper wrote: >>>>> On Feb 3, 2024, at 09:45, Piotr P. Stefaniak >>>>> wrote: >>>>> ?On 2024-01-31 15:31:38, Dag-Erling Smørgrav wrote: >>>>>> Minsoo Choo writes: >>>>>>> I'm currently working on importing the latest version of >>>>>>> Heimdal, >>>>>> >>>>>> Please don't. >>>>> >>>>> why >>>> >>>> Cy is importing MIT kerberos. MIT is (in many cases) the defacto >>>> flavor of kerberos. >>>> Cheers, >>> >>> Is changing kerberos flavor in 2024 really what we want ? >> >> We should ship a supported / maintained flavour of Kerberos. MIT is >> the >> best option. >> >>> People who are using base kdc will likekly migrate to ports version >>> of >>> heimdal as database isn't compatible (unless something has changed >>> in >>> the past 15 years I've used kerberos). >> >> That's certainly true. >> >>> I guess that kerberos is still used a bit at some Colleges or old >>> corporation that haven't moved from it but is it relevant for us to >>> still include kerberos in base ? >> >> The kdc is only one component of Kerberos. While using Kerberos >> alone >> is certainly increasingly niche, many organisations use it in >> combination with LDAP (e.g. Microsoft Active Directory). >> >> We need the Kerberos libraries in the base system for GSSAPI. It's >> more >> effort not to include the kdc and the utilities (kinit, kadmin, >> ktutil,...) than including them. > > Is there a written proposal for this switch ? Not that I'm aware of. Kerberos is not a particularly active area of the tree. Cy has been maintaining Heimdal and has volunteered to switch us over to MIT. I don't think we need any more bureaucracy than that. > I can't seems to understand how it's useful to not include the > utilities in base (I understand for kdc). > If I need kerberos to login in my env I would need to pkg install > heimdal/mit so I might as well pkg install openssh-portable && pkg > delete FreeBSD-openssh so I have a kerberos aware ssh. Right. I don't think it's useful to stop including the utilities in base. I don't mind not including the daemons. We need kinit (and probably ktutil) and GSSAPI for NFS too. I don't have particularly strong feelings about Kerberos-aware OpenSSH. Since we have to ship the libraries anyway, we might as well use them. Long-term, I would advocate for "privatising" the Kerberos libraries (similar to what we do with sqlite3, libxml, etc) to avoid conflicting with 3rd party libraries. I have no idea how much work that would be. I don't think I'm interested in doing the work, and I'm hesitant to volunteer someone else's time to do the work. :-) > Please be aware that we're pushing pkgbase use so we will have a lot > more flexibility to have a tool installed or not. Sure. And I'm all for pkgbase. :-) Philip From nobody Mon Feb 5 20:06:44 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TTHTP02T1z58v50 for ; Mon, 5 Feb 2024 20:06:49 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TTHTN1pcvz4m5J; Mon, 5 Feb 2024 20:06:48 +0000 (UTC) (envelope-from yaneurabeya@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b="J/+3rDQO"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of yaneurabeya@gmail.com designates 2607:f8b0:4864:20::42f as permitted sender) smtp.mailfrom=yaneurabeya@gmail.com Received: by mail-pf1-x42f.google.com with SMTP id d2e1a72fcca58-6da9c834646so3871919b3a.3; Mon, 05 Feb 2024 12:06:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707163607; x=1707768407; darn=freebsd.org; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eGP0HtAHa67Qipun2jIoLWbZ34L8l0JX2KN6xIWPPPU=; b=J/+3rDQOa9eIhomTAz+BfkIPrGcY60y4KQ+lp4D5G6iATdJhL2/oPE29LH3XalQEAQ 2ijPOyd0mtE48wrizOO+EteQqsjkTCpnRi2+9LPurAFOP7v3u4gqbQ39FzoXWEr8MKzv HNmt92yhavTxUeDdJjgml03nyYDcx8TNnVLmn0rQ9oa6sAFikVI7GVxOcKP3bg/MlN2L M1/kboND7KyDsXC6mK4VsO2VCi3/UdskzgaPZu6vhqUGSFSYkoVkDb6eY1wVK38Tbv2Z cUKHV7ux+k4nX12A2ylXb/nQKgKB9X+StOI7T0daATNaMIaWZCcU7oNtrR41DUSBt0vR VGqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707163607; x=1707768407; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eGP0HtAHa67Qipun2jIoLWbZ34L8l0JX2KN6xIWPPPU=; b=s3KbdwhBgh9ZSsKdQ2ONobNAO9Lnn+1/rpfoXdT/fL7mrWe2cbTcbCCSKBuqepajTd QyxEzgLRxZvAtdgcy1FygB1PgALOGUIvu4Zhke4c+xOW4cP6l18Lioa6IV60EIR0z++E Y3jo08fwGat0lKllacrtyqSen+z5LjtWDsF11QjW6mPTydq8Nydf+zRGZituuX1I/zLi 3IHfam27rFUzDj3uawyqLrAQOZ0cqyszHj/i2rMZgTzgAMEGqLQMVaeZeMN6bGTYYsDi SpGM7QaC+SoAtqWwwx3Z8OqxvRBk8tdEUZPEVlZVY/Yzxa6XCAmH9u0FShw6Dl0PDp6y dH6A== X-Gm-Message-State: AOJu0YwtMyfcdJADf0PSbQV7HLJRwvUTWjj4/UdthTt2jjL9lCK0LPRV 3xIHKgK1QACYupkZtfZqVkNWTmCpWiXsTuK5PbOA9KMVhnDlJmcrUYU3B76z X-Google-Smtp-Source: AGHT+IH58V/pJxSc93Em970GuA1vMyfodlUAfDmIbYGTMSqmQPnSkcoQFM/Aon1OzdF46xXmEfg9Og== X-Received: by 2002:a05:6a21:a5aa:b0:19e:367a:2caa with SMTP id gd42-20020a056a21a5aa00b0019e367a2caamr684438pzc.8.1707163606810; Mon, 05 Feb 2024 12:06:46 -0800 (PST) X-Forwarded-Encrypted: i=0; AJvYcCWgEwVh+ILDwjAMVjhdjJSfZNH6fjJ3D1mDP4gpKzTWIqKdkSbtk0MC7tZM3M8WnoGBWjFXllGzlGlI7ofn/mDNLyAxk8JBBNON9np3g2laupHTpNcMUwp5TEA12KsHMeKPTUUxr8PiG4nXiGegp991zgI3 Received: from smtpclient.apple ([2601:601:782:be00:7c2b:f850:873:1c07]) by smtp.gmail.com with ESMTPSA id s18-20020a056a00179200b006e0479cd9ffsm254365pfg.118.2024.02.05.12.06.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Feb 2024 12:06:45 -0800 (PST) Content-Type: multipart/signed; boundary="Apple-Mail=_0CACEA33-45CC-49B0-BC64-4D950C1A5AB9"; protocol="application/pgp-signature"; micalg=pgp-sha256 List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\)) Subject: Re: Importing Heimdal 7.8.0 From: Enji Cooper In-Reply-To: <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com> Date: Mon, 5 Feb 2024 12:06:44 -0800 Cc: "Piotr P. Stefaniak" , =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , Minsoo Choo , freebsd-arch@freebsd.org Message-Id: <4593BCAF-C09D-466C-ABC8-6160A9BE5B10@gmail.com> References: <7B302C8A-8A56-4840-B8D1-A01A3F9D765C@gmail.com> <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com> To: Emmanuel Vadot X-Mailer: Apple Mail (2.3696.120.41.1.4) X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.60 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; MV_CASE(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::42f:from]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DKIM_TRACE(0.00)[gmail.com:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; HAS_ATTACHMENT(0.00)[]; MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4TTHTN1pcvz4m5J --Apple-Mail=_0CACEA33-45CC-49B0-BC64-4D950C1A5AB9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Feb 3, 2024, at 10:54 PM, Emmanuel Vadot = wrote: =E2=80=A6 > Is changing kerberos flavor in 2024 really what we want ? > People who are using base kdc will likekly migrate to ports version of > heimdal as database isn't compatible (unless something has changed in > the past 15 years I've used kerberos). > I guess that kerberos is still used a bit at some Colleges or old > corporation that haven't moved from it but is it relevant for us to > still include kerberos in base ? > OpenSSH-portable/curl and anything else in ports could be moved to use > MIT/Heimdal from ports (based on some options and/or subpackages if > that is possible). This is a good question for Cy (I can=E2=80=99t answer this). I=E2=80=99m = mostly just the messenger in this case (my second sentence about "MIT = kerberos being the defacto kerberos flavor=E2=80=9D was my personal = opinion on the topic). -Enji --Apple-Mail=_0CACEA33-45CC-49B0-BC64-4D950C1A5AB9 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtvtxN6kOllEF3nmX5JFNMZeDGN4FAmXBP9QACgkQ5JFNMZeD GN70hA//QP0Ab8vdYP4dnA6OdJymz4K5KwNSxj7ACkCsIbET7qe+Zsu1Odykzdzu Leh+ivyZ96jkgb68KDGXjx8TC7fs+ecz1agm+K2tONYcBJyUoU8ijIw7xZ9Ao8/X HRQKOVKZBvwMJ8w/ySKPqAddlb3agGuBcZdjnFRlJ/HH6RTA+qhqZE3YUFDf/uJU WI3vmSo0cMiqSa9a2TEJzt2a9iBwmthQxiIUXoqjAC4DvwUdZJaSMGqNyDPpFDXn Fy2xQyf1YepX+GRoodaRZcrVnnAxzDZu8JIeybHQE8bqSbsF5NfleGPQ/jUXsZsv M3FDTvpHZ0sX1pBssqc0fbLjN6ebNT6gHv9FhSSsnYTyTADU858BOUxxlz3G4YnG B0b2IIfAOOLshgRAt61AnGvA+xxeOV2T9iutibLEzqQWk3yG5kZJQXkn9g+TYqow z3ffKNEV5Qnflp2u1j5gjneQd8n/XlXty0TPfNvuurHjMy0nvFgfTI1bJYD/NbMt yS8vL6uJPJRyiIBBT2tMI+cNhgfnFj3mqwr91fbEVzolhM5UtIikf4CZLC6FwACa jI1/VIJzsV+oRpqy5muLVJiFFgLqP90RwarnHmS+KiKUtYqNwbSWG/M7NQwkm6JC t6RNmoqSpZxJxsXBpmXovmV8UZ4iGUJEo/PeiYHaS1vAcLxumNc= =9pF4 -----END PGP SIGNATURE----- --Apple-Mail=_0CACEA33-45CC-49B0-BC64-4D950C1A5AB9-- From nobody Mon Feb 5 21:10:37 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TTJv564CGz591jD for ; Mon, 5 Feb 2024 21:10:41 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TTJv533zfz51Xh; Mon, 5 Feb 2024 21:10:41 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id X332rdCMcxDxGX6EirVJaW; Mon, 05 Feb 2024 21:10:40 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id X6EgrgdzMByQrX6EhrbQai; Mon, 05 Feb 2024 21:10:40 +0000 X-Authority-Analysis: v=2.4 cv=UOF+Hzfy c=1 sm=1 tr=0 ts=65c14ed0 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=k7vzHIieQBIA:10 a=pGLkceISAAAA:8 a=7ASnObcnAAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=focQ8XpkmpRfSYORp-gA:9 a=QEXdDO2ut3YA:10 a=pj5rz7AvTRnaHDIeLm0D:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 447D02BA; Mon, 5 Feb 2024 13:10:38 -0800 (PST) Received: from slippy (localhost [IPv6:::1]) by slippy.cwsent.com (Postfix) with ESMTP id 2140520E; Mon, 5 Feb 2024 13:10:38 -0800 (PST) Date: Mon, 5 Feb 2024 13:10:37 -0800 From: Cy Schubert To: Enji Cooper Cc: Emmanuel Vadot , "Piotr P. Stefaniak" , Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= , Minsoo Choo , freebsd-arch@freebsd.org Subject: Re: Importing Heimdal 7.8.0 Message-ID: <20240205130951.071850fb@slippy> In-Reply-To: <4593BCAF-C09D-466C-ABC8-6160A9BE5B10@gmail.com> References: <7B302C8A-8A56-4840-B8D1-A01A3F9D765C@gmail.com> <20240204075458.04884948a03419c3afcd1f4f@bidouilliste.com> <4593BCAF-C09D-466C-ABC8-6160A9BE5B10@gmail.com> Organization: KOMQUATS X-Mailer: Claws Mail 3.19.1 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-CMAE-Envelope: MS4xfHfmnyhSKt/jOjYwRT7GMZXYaBNL3PR6sE0NAbmJUmryXE3QV85BHsmSUx8NhbLXAWOF4hfj8G79yM6bwGQN4UFu7/HqScYb4yRh68MATmVrUOKK/ME3 r1CVLUHTF6hT/6h3Nugo3xlO6RxCqwQjOckPkr4a/dJOaXf26b65e9aIEMZRQFSvq+pmxHihDqqCw+jReBu5Y8QAsOVrOC3jbabb7FM7s/4r/Ny6R47+0YCh zBdSpN3feVrL47fIIbXHHb+aWbpbRk1b4EjFY2Q2nvph78caFAXVUM2ssvO+K9vLrfjGZ+eMWcKeyH1IsBkBNntI94utHEn8mZ6CRwdXaGz6SaTXT0iKpyRf BaiDaXct X-Rspamd-Queue-Id: 4TTJv533zfz51Xh X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] On Mon, 5 Feb 2024 12:06:44 -0800 Enji Cooper wrote: > > On Feb 3, 2024, at 10:54 PM, Emmanuel Vadot wro= te: =20 >=20 > =E2=80=A6 >=20 > > Is changing kerberos flavor in 2024 really what we want ? > > People who are using base kdc will likekly migrate to ports version of > > heimdal as database isn't compatible (unless something has changed in > > the past 15 years I've used kerberos). > > I guess that kerberos is still used a bit at some Colleges or old > > corporation that haven't moved from it but is it relevant for us to > > still include kerberos in base ? > > OpenSSH-portable/curl and anything else in ports could be moved to use > > MIT/Heimdal from ports (based on some options and/or subpackages if > > that is possible). =20 >=20 > This is a good question for Cy (I can=E2=80=99t answer this). I=E2=80=99m= mostly just the messenger in this case (my second sentence about "MIT kerb= eros being the defacto kerberos flavor=E2=80=9D was my personal opinion on = the topic). > -Enji I'll reiterate an email I sent to this list in December. The reasons for this are fourfold. 1. After importing Heimdal 7.7.0 locally, 7.8.0 failed to import. They'd restructured the code enough to require significant restructuring of makefiles. At this point I was only toying with the idea of importing MIT into base. No work had commenced yet. 2. FreeBSD Foundation contacted me about a large corporate user of FreeBSD about their pain point of Heimdal in base instead of MIT. 3. There is more support that I've seen, at mostly among developers, but others too, for replacing Heimdal with MIT. 4. MIT is the original Kerberos. It is the kerberos in all Linux distros. It is also baked into Active Directory. It is the gold standard. I don't know who the large corporate user is but having spent my entire career in the corporate world, integration into A/D is important to large enterprise users. IMO, if we want to see more FreeBSD used by large corporations, reason #2 above is probably the most important reason to switch from Heimdal to MIT. --=20 Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=3D0