Difference between revisions of "FLOP:Kerberos V implementations"

(FLOP on krb5 impls)
 
(FLOP on krb5 impls)
 
(No difference)

Latest revision as of 19:36, February 6, 2015

Created on
2015/02/06
Original Author(s)
{{#set:Author={{ #show: User:Mgorny | ?Full name }}}}{{ #show: User:Mgorny | ?Full name }}
Status
Pending Review
Reference Bug
FL-2093

Funtoo Linux Optimization Proposal: Kerberos V implementations

Funtoo supports two binary-incompatible Kerberos V implementations: MIT and Heimdal. Ebuilds supporting both need to properly depend on them to ensure rebuilds.

Overview

There are currently two Kerberos V implementations in Funtoo:

  • MIT Kerberos V (app-crypt/mit-krb5 (package not on wiki - please add)),
  • Heimdal (app-crypt/heimdal (package not on wiki - please add)).

Both implementations use the same library names and a partially compatible API. However, they are binary incompatible and use different (non-colliding) SONAMEs.

Many of Kerberos V applications support both implementations. In this case, the relevant packages depend on virtual/krb5 (package not on wiki - please add). Some applications support only one of the implementations, depending on it directly.


Issues with the current solution

Virtuals are based on assumption that the providers can be switched at runtime. However, since the krb5 implementations are binary-incompatible, switching them at runtime is incorrect and results in the reverse dependencies being broken. Instead, implementation switch needs to be followed by automatic reverse dependency rebuild.

Furthermore, the lack of explicit implementation control will be an issue if installing both implementations in parallel becomes possible in the future. This could be desired since there are both packages supporting only mit-krb5, as well as packages supporting only heimdal.


Suggested solution

The simplest solution seems to be introducing a USE flag in all reverse dependencies that support both mit-krb5 and heimdal. The flag would decide which of the two implementation is used.

An example reverse dependency would look like:

example-1.ebuild
IUSE="heimdal"
RDEPEND="
    heimdal? ( app-crypt/heimdal:0= )
    !heimdal? ( app-crypt/mit-krb5:0= )"

If Kerberos V support is optional, the flags would be combined with the kerberos feature flag:

example-1.ebuild
IUSE="heimdal kerberos"
RDEPEND="
    kerberos? (
        heimdal? ( app-crypt/heimdal:0= )
        !heimdal? ( app-crypt/mit-krb5:0= )
    )"

This implementation implies that:

  1. user is given an explicit choice of Kerberos V implementation.
  2. Switch of a Kerberos V implementation would cause a rebuild through --changed-use, therefore resolving breakage caused by ABI change.

blog comments powered by Disqus