<<On Wed, 14 Sep 2016 15:21:46 -0400 (EDT), Benjamin Kaduk <kaduk_at_MIT.EDU> said: > Well, it's definitely too late for 11, now. > But, Debian is preparing to remove their heimdal package entirely, > imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728 The primary issue, so far as I can see, is that Heimdal and MIT were only compatible in the parts of the API that were formally standardized. For those of us who need MIT (to have a working kadmin, for example), that has pretty much always boiled down to completely disabling Heimdal in base (and anything that depends on it, like OpenSSH, pam_krb5, and GSSAPI-authenticated NFS), and installing replacement bits from ports/packages. If we're going to remove Heimdal from base, we should completely deorbit (or disable, as appropriate) all of the things that depend on it, and make sure that there are ports that provide replacement functionality. (AFAIK the only thing missing is gssd, the user-mode side of the authenticated NFS support.) My bet would be that very few FreeBSD users actually take advantage of this support, and unless they're running in an all-FreeBSD or all-Heimdal shop probably have to install MIT Kerberos anyway. Since we're expecting to have packaged base complete for 12.0, having to install a few extra packages (and replace some base packages with ports packages) should not be an imposition, for those people who want Kerberos support, and for many of us it would make fresh installs less of a hassle. Since 11.0 hasn't been released yet, is it within the realm of possibility to officially deprecate Heimdal-in-base before it ships? At this stage all that would involve is putting an announcement in the release notes. -GAWollman (writing as the administrator of the CSAIL.MIT.EDU realm, but still not speaking for MIT)Received on Thu Sep 15 2016 - 00:07:17 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:07 UTC