FLOP:Kerberos V implementations

From Funtoo
Jump to navigation Jump to search
Created on
Original Author(s)
Pending Review
Reference Bug

Funtoo Linux Optimization Proposal: Kerberos V implementations

Funtoo supports two binary-incompatible Kerberos V implementations: MIT and Heimdal. Ebuilds supporting both need to properly depend on them to ensure rebuilds.


There are currently two Kerberos V implementations in Funtoo:

  • MIT Kerberos V (No results),
  • Heimdal (No results).

Both implementations use the same library names and a partially compatible API. However, they are binary incompatible and use different (non-colliding) SONAMEs.

Many of Kerberos V applications support both implementations. In this case, the relevant packages depend on No results. Some applications support only one of the implementations, depending on it directly.

Issues with the current solution

Virtuals are based on assumption that the providers can be switched at runtime. However, since the krb5 implementations are binary-incompatible, switching them at runtime is incorrect and results in the reverse dependencies being broken. Instead, implementation switch needs to be followed by automatic reverse dependency rebuild.

Furthermore, the lack of explicit implementation control will be an issue if installing both implementations in parallel becomes possible in the future. This could be desired since there are both packages supporting only mit-krb5, as well as packages supporting only heimdal.

Suggested solution

The simplest solution seems to be introducing a USE flag in all reverse dependencies that support both mit-krb5 and heimdal. The flag would decide which of the two implementation is used.

An example reverse dependency would look like:

    heimdal? ( app-crypt/heimdal:0= )
    !heimdal? ( app-crypt/mit-krb5:0= )"

If Kerberos V support is optional, the flags would be combined with the kerberos feature flag:

IUSE="heimdal kerberos"
    kerberos? (
        heimdal? ( app-crypt/heimdal:0= )
        !heimdal? ( app-crypt/mit-krb5:0= )

This implementation implies that:

  1. user is given an explicit choice of Kerberos V implementation.
  2. Switch of a Kerberos V implementation would cause a rebuild through --changed-use, therefore resolving breakage caused by ABI change.