From nobody Thu Jul 24 18:58:19 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bp0dp683wz633rj; Thu, 24 Jul 2025 18:58:38 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4bp0dp3mrwz3SX9; Thu, 24 Jul 2025 18:58:38 +0000 (UTC) (envelope-from kostikbel@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: from tom.home (kib@localhost [127.0.0.1] (may be forged)) by kib.kiev.ua (8.18.1/8.18.1) with ESMTP id 56OIwKgP038240; Thu, 24 Jul 2025 21:58:23 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 56OIwKgP038240 Received: (from kostik@localhost) by tom.home (8.18.1/8.18.1/Submit) id 56OIwJ10038239; Thu, 24 Jul 2025 21:58:19 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Thu, 24 Jul 2025 21:58:19 +0300 From: Konstantin Belousov To: Cy Schubert Cc: Cy Schubert , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: e447c252d0ec - main - krb5: Merge Heimdal common functions into version maps Message-ID: References: <202507241714.56OHEFYg074661@gitrepo.freebsd.org> <20250724173412.8B8E34D6@slippy.cwsent.com> <20250724184010.C57FA4DA@slippy.cwsent.com> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250724184010.C57FA4DA@slippy.cwsent.com> X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=4.0.1 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on tom.home X-Rspamd-Queue-Id: 4bp0dp3mrwz3SX9 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] On Thu, Jul 24, 2025 at 11:40:10AM -0700, Cy Schubert wrote: > In message , Konstantin Belousov writes: > > On Thu, Jul 24, 2025 at 10:34:12AM -0700, Cy Schubert wrote: > > > In message , Konstantin Belousov writes: > > > > On Thu, Jul 24, 2025 at 05:14:15PM +0000, Cy Schubert wrote: > > > > > The branch main has been updated by cy: > > > > > > > > > > URL: https://cgit.FreeBSD.org/src/commit/?id=e447c252d0eca8f1440996f2a3 > > 521c > > > > 75c06ae126 > > > > > > > > > > commit e447c252d0eca8f1440996f2a3521c75c06ae126 > > > > > Author: Cy Schubert > > > > > AuthorDate: 2025-07-24 16:24:03 +0000 > > > > > Commit: Cy Schubert > > > > > CommitDate: 2025-07-24 16:31:40 +0000 > > > > > > > > > > krb5: Merge Heimdal common functions into version maps > > > > > > > > > > Requested by: kib > > > > I do not remember that I ever asked to do this. > > > > More, I do not understand Kerberos to see such details. > > > > > > > > But see below. > > > > > > > > > --- > > > > > krb5/lib/gssapi/version.map | 171 +++++++++--------- > > > > > krb5/lib/krb5/version.map | 430 ++++++++++++++++++++++-------------- > > ---- > > > > ---- > > > > > krb5/util/et/version.map | 12 +- > > > > > 3 files changed, 312 insertions(+), 301 deletions(-) > > > > > > > > > > diff --git a/krb5/lib/gssapi/version.map b/krb5/lib/gssapi/version.map > > > > > index bd0d28df70a7..d52c0d3d1e36 100644 > > > > > --- a/krb5/lib/gssapi/version.map > > > > > +++ b/krb5/lib/gssapi/version.map > > > > > @@ -1,3 +1,90 @@ > > > > > +HEIMDAL_GSS_2.0 { > > > > > + global: > > > > > + gss_accept_sec_context; > > > > > + gss_acquire_cred; > > > > > + gss_acquire_cred_with_password; > > > > > + gss_add_buffer_set_member; > > > > > + gss_add_cred; > > > > > + gss_add_cred_with_password; > > > > > + gss_add_oid_set_member; > > > > > + gss_authorize_localname; > > > > > + gss_canonicalize_name; > > > > > + gss_compare_name; > > > > > + gss_context_time; > > > > > + gss_create_empty_buffer_set; > > > > > + gss_create_empty_oid_set; > > > > > + gss_decapsulate_token; > > > > > + gss_delete_name_attribute; > > > > > + gss_delete_sec_context; > > > > > + gss_display_mech_attr; > > > > > + gss_display_name; > > > > > + gss_display_name_ext; > > > > > + gss_display_status; > > > > > + gss_duplicate_name; > > > > > + gss_encapsulate_token; > > > > > + gss_export_cred; > > > > > + gss_export_name; > > > > > + gss_export_name_composite; > > > > > + gss_export_sec_context; > > > > > + gss_get_mic; > > > > > + gss_get_name_attribute; > > > > > + gss_import_cred; > > > > > + gss_import_name; > > > > > + gss_import_sec_context; > > > > > + gss_indicate_mechs; > > > > > + gss_indicate_mechs_by_attrs; > > > > > + gss_init_sec_context; > > > > > + gss_inquire_attrs_for_mech; > > > > > + gss_inquire_context; > > > > > + gss_inquire_cred; > > > > > + gss_inquire_cred_by_mech; > > > > > + gss_inquire_cred_by_oid; > > > > > + gss_inquire_mech_for_saslname; > > > > > + gss_inquire_mechs_for_name; > > > > > + gss_inquire_name; > > > > > + gss_inquire_names_for_mech; > > > > > + gss_inquire_saslname_for_mech; > > > > > + gss_krb5_ccache_name; > > > > > + gss_krb5_copy_ccache; > > > > > + gss_krb5_export_lucid_sec_context; > > > > > + gss_krb5_free_lucid_sec_context; > > > > > + gss_krb5_get_tkt_flags; > > > > > + gss_krb5_import_cred; > > > > > + gss_krb5_set_allowable_enctypes; > > > > > + gss_oid_equal; > > > > > + gss_oid_to_str; > > > > > + gss_pname_to_uid; > > > > > + gss_process_context_token; > > > > > + gss_pseudo_random; > > > > > + gss_release_buffer; > > > > > + gss_release_buffer_set; > > > > > + gss_release_cred; > > > > > + gss_release_iov_buffer; > > > > > + gss_release_name; > > > > > + gss_release_oid; > > > > > + gss_release_oid_set; > > > > > + gss_seal; > > > > > + gss_set_cred_option; > > > > > + gss_set_name_attribute; > > > > > + gss_set_sec_context_option; > > > > > + gss_sign; > > > > > + gss_store_cred; > > > > > + gss_test_oid_set_member; > > > > > + gss_unseal; > > > > > + gss_unwrap; > > > > > + gss_unwrap_iov; > > > > > + gss_userok; > > > > > + gss_verify; > > > > > + gss_verify_mic; > > > > > + gss_wrap; > > > > > + gss_wrap_iov; > > > > > + gss_wrap_iov_length; > > > > > + gss_wrap_size_limit; > > > > > + gsskrb5_extract_authtime_from_sec_context; > > > > > + gsskrb5_extract_authz_data_from_sec_context; > > > > > + krb5_gss_register_acceptor_identity; > > > > > +}; > > > > > + > > > > > gssapi_krb5_2_MIT { > > > > > global: > > > > > GSS_C_ATTR_LOCAL_LOGIN_USER; > > > > > @@ -46,67 +133,14 @@ gssapi_krb5_2_MIT { > > > > > GSS_C_MA_CTX_TRANS; > > > > > GSS_C_MA_NEGOEX_AND_SPNEGO; > > > > > GSS_C_SEC_CONTEXT_SASL_SSF; > > > > > - gss_accept_sec_context; > > > > > - gss_acquire_cred; > > > > > - gss_acquire_cred_with_password; > > > > > gss_acquire_cred_impersonate_name; > > > > > - gss_add_buffer_set_member; > > > > > - gss_add_cred; > > > > > gss_add_cred_impersonate_name; > > > > > - gss_add_cred_with_password; > > > > > - gss_add_oid_set_member; > > > > > - gss_authorize_localname; > > > > > - gss_canonicalize_name; > > > > > - gss_compare_name; > > > > > gss_complete_auth_token; > > > > > - gss_context_time; > > > > > - gss_create_empty_buffer_set; > > > > > - gss_create_empty_oid_set; > > > > > - gss_decapsulate_token; > > > > > - gss_delete_name_attribute; > > > > > - gss_delete_sec_context; > > > > > - gss_display_mech_attr; > > > > > - gss_display_name; > > > > > - gss_display_name_ext; > > > > > - gss_display_status; > > > > > - gss_duplicate_name; > > > > > - gss_encapsulate_token; > > > > > - gss_export_cred; > > > > > - gss_export_name; > > > > > - gss_export_name_composite; > > > > > - gss_export_sec_context; > > > > > - gss_get_mic; > > > > > gss_get_mic_iov; > > > > > gss_get_mic_iov_length; > > > > > - gss_get_name_attribute; > > > > > - gss_import_cred; > > > > > - gss_import_name; > > > > > - gss_import_sec_context; > > > > > - gss_indicate_mechs; > > > > > - gss_init_sec_context; > > > > > - gss_indicate_mechs_by_attrs; > > > > > - gss_inquire_attrs_for_mech; > > > > > - gss_inquire_context; > > > > > - gss_inquire_cred; > > > > > - gss_inquire_cred_by_mech; > > > > > - gss_inquire_cred_by_oid; > > > > > - gss_inquire_mech_for_saslname; > > > > > - gss_inquire_mechs_for_name; > > > > > - gss_inquire_names_for_mech; > > > > > - gss_inquire_saslname_for_mech; > > > > > - gss_inquire_sec_context_by_oid; > > > > > - gss_krb5_ccache_name; > > > > > - gss_krb5_copy_ccache; > > > > > - gss_krb5_export_lucid_sec_context; > > > > > - gss_krb5_free_lucid_sec_context; > > > > > - gss_krb5_get_tkt_flags; > > > > > - gss_krb5_import_cred; > > > > > - gss_krb5_set_allowable_enctypes; > > > > > gss_krb5_set_cred_rcache; > > > > > gss_krb5int_make_seal_token_v3; > > > > > gss_krb5int_unseal_token_v3; > > > > > - gsskrb5_extract_authtime_from_sec_context; > > > > > - gsskrb5_extract_authz_data_from_sec_context; > > > > > gss_localname; > > > > > gss_map_name_to_any; > > > > > gss_mech_iakerb; > > > > > @@ -124,47 +158,16 @@ gssapi_krb5_2_MIT { > > > > > gss_nt_service_name_v2; > > > > > gss_nt_string_uid_name; > > > > > gss_nt_user_name; > > > > > - gss_oid_equal; > > > > > - gss_oid_to_str; > > > > > - gss_pname_to_uid; > > > > > - gss_pseudo_random; > > > > > - gss_process_context_token; > > > > > gss_release_any_name_mapping; > > > > > - gss_release_buffer_set; > > > > > - gss_release_buffer; > > > > > - gss_release_cred; > > > > > - gss_release_iov_buffer; > > > > > - gss_release_name; > > > > > - gss_release_oid; > > > > > - gss_release_oid_set; > > > > > - gss_seal; > > > > > - gss_set_name_attribute; > > > > > gss_set_neg_mechs; > > > > > - gss_set_sec_context_option; > > > > > - gss_sign; > > > > > - gss_store_cred; > > > > > gss_str_to_oid; > > > > > - gss_test_oid_set_member; > > > > > - gss_unseal; > > > > > - gss_unwrap; > > > > > gss_unwrap_aead; > > > > > - gss_unwrap_iov; > > > > > - gss_userok; > > > > > - gss_verify; > > > > > - gss_verify_mic; > > > > > gss_verify_mic_iov; > > > > > - gss_wrap; > > > > > gss_wrap_aead; > > > > > - gss_wrap_iov; > > > > > - gss_wrap_iov_length; > > > > > - gss_wrap_size_limit; > > > > > - gss_set_cred_option; > > > > > gssspi_set_cred_option; > > > > > gssspi_mech_invoke; > > > > > krb5_gss_dbg_client_expcreds; > > > > > - krb5_gss_register_acceptor_identity; > > > > > krb5_gss_use_kdc_context; > > > > > - gss_inquire_name; > > > > > gss_acquire_cred_from; > > > > > gss_add_cred_from; > > > > > gss_store_cred_into; > > > > > > > > This breaks the ABI of _current_ libc on HEAD even more. > > > > Please do bump the dso versions for all libs from kerberos/gss > > > > with same current name as it was in Heimdal time. > > > > > > In other words use Heimdal in the name instead of the names MIT uses? > > > > > > This was certainly short sighted on our part when we put Heimdal in our DSO > > > > > names at the time. > > No. > > > > Just for all libs that have the same name as old heimdal libs, bump > > dso version. Do not rewrite version scripts, if there are vendor-provided > > scripts, patching it locally now would be a maintainence nightmare. > > > > I suspect that there is something unclear in "bump the dso version" > > suggestion. > > Those were bumped from .11 to .121 (for MIT KRB5 1.21). This should have > been evident from the start. It is absolutely not evident. Then, why did you do the patches against vendor versioning? Unless we have very good reason, we must stick to stock vendor version scripts. When symbol version was added (presumably to not versioned libs), dso version should have been bumped again, if providing strong ABI stability guarantees. But due to all rototiling in version scripts, I suspect we must admit that this is useless now.