kerberos is the new sqlite: disable, force mit, or ?

To: tech-pkg%netbsd.org@localhost
Subject: kerberos is the new sqlite: disable, force mit, or ?
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 03 Sep 2024 20:15:48 -0400

I just built pgsql 16, upgrading from 12, including depending packages:
postgis, gdal.  Mostly that was ok.

Starting qgis, I got a crash after about 10s, and it was in a gssapi
routine.

It turns out that pgsql16, rather than

  .  include "../../mk/krb5.buildlink3.mk"

has

  # This should be ../mk/krb5.buildlink3.mk. However, that may select
  # security/heimdal as the Kerberos implementation, and it doesn't have
  # gss_store_cred_into().
  .  include "../../security/mit-krb5/buildlink3.mk"

which is from fall of 2023.  You're in the CC if 'cvs ann' lists you
only as even adding a helpful comment later :-)  Not to complain, but
because you've though about this, probably more than me.

gdal-lib links against libpq (if you turn on pgsql, which I do, because
in qgis, data in postgis is normal).

curl links against gssapi, because kitchen sink.

qgis links against curl and gdal-lib

thus, qgis has both base heimdal and pkgsrc mit-krb5 gssapi libs.  This
apparently does not go well.

I see multiple possible paths:

  1) Decide that with variant APIs, krb is messy, and few use it, so
  disable gssapi by default in all packages.

  1A) Like 1, but disable it in most, especially curl.

  2) Decide that if even one package needs an API in mit-krb5 but not
  heimdal, that krb5.buildlink3.mk should only allow mit-krb5.  Decide
  that any base lib that includes any heimdal lib is not allowed as
  builtin.  This is more or less what we did for sqlite3.

  3) Don't use base heimdal but patch in the new API to pkgsrc heimdal.

  4) Do nothing, leaving people who want to run qgis/postgis to do step
  1 locally, and risking an increasing number of official binaries being
  broken.

I think 2 is the right answer architecturally.  1A is likely to mostly
work, and 1 seems sort of safe but heavyhanded.

I don't have the cycles to deal with this, but having found the bug
wanted to let people know.   Personally I'm operating under point 4,
with PKG_OPTIONS in my mk.conf.

Follow-Ups:
- Re: kerberos is the new sqlite: disable, force mit, or ?
  - From: Taylor R Campbell

Prev by Date: Re: gcc*-libs help needed: rpath needs fixing
Next by Date: Re: kerberos is the new sqlite: disable, force mit, or ?
Previous by Thread: gcc*-libs help needed: rpath needs fixing
Next by Thread: Re: kerberos is the new sqlite: disable, force mit, or ?
Indexes:

Home | Main Index | Thread Index | Old Index