Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Morgan, could you please test 'gsasl' from experimental? It should fix the GSSAPI issue you reported in #768352. If you can confirm, I can upload to unstable -- I'm hoping it is possible to fix this before the release. On Mon, Feb 16, 2015 at 11:38:46PM +0100, Simon Josefsson wrote: On 16/02/15 22:13, Simon Josefsson wrote: It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 On considering solutions, I don't like the unpredictability in depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by the binary libgsasl package in Debian will depend on whether the buildds have Heimdal or MIT installed when you built the package. Coping with different GSS libraries on different architecture sounds like a recipe for disaster. For Jessie, gsasl should be built against the same Kerberos library on all architectures, unless there is a reason not to -- and I don't know of a reason. MIT is picked arbitrarily here. Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) -- any comments? Jelmer, what prompted your initial report? The way I see it, it is important (for us) that you buildds don't have multiple Kerberos development packages installed when they build gsasl. So the old way was the preferred way, causing heimdal-dev to be removed and libkrb5-dev to be pulled in. People with other preferences who build their own packages can surely modify the gsasl package to their liking. I've pushed a fix in git and attmpted to upload to experimental, so you can test the new packages. The main reason for proposing this change was just to make it easier to have heimdal-dev installed while working on other parts of the system. At the moment, building gsasl requires uninstalling a number of packages for me, that indirectly depend on heimdal-dev. With the patch, the intent was to gsasl still build against MIT kerberos - e.g. no change in the binary packages. It merely changed the dependency from libkrb5-dev to libkrb5-multidev, the latter of which doesn't prevent heimdal-dev from being installed. Right -- but the patch also had the consequence of completely disabling GSSAPI in gsasl. Reverting the patch makes GSSAPI work again. FWIW the patch applied to the Debian package was different from the one I provided with the original bug report. (https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0001-Depend-on-krb5-multidev-rather-than-libkrb5-dev.patch;att=1;bug=745332) The upload that closed this bug just changes the dependency from libkrb5-dev to libkrb5-multidev (rather than krb5-multidev) and doesn't set KRB5_CONFIG. (http://anonscm.debian.org/cgit/pkg-xmpp/gsasl.git/commit/?id=1bbeb7bc1e9404daaf1cdef64ec382794a77b217) Yeah, I made a typo in the first upload, and I thought Andreas fixed that but now that I look I see that the rest of your patch was not merged. Oops. Anyway, as you say, I can manually patch gsasl if I need to, and at the moment I don't work on any packages that depend on libgsasl-dev. I still think it would be nice to not have gsasl conflict with heimdal-dev, but it's not the end of the world if it doesn't. Maybe libkrb5-dev|heimdal-dev is a better build-dep -- but I don't know what holds for Debian buildds: are they allowed to have some packages pre-installed? If they can never have heimdal-dev installed (or for some other reason prefer heimdal-dev over libkrb5-dev), I don't see a problem using libkrb5-dev|heimdal-dev instead of libkrb5-dev. But if there are no guarantees, I prefer hard-coding libkrb5-dev to avoid linking with different Kerberos libraries depending on Debian architecture. Does anyone know? heimdal and MIT kerberos have enough differences in behaviour that I think allowing to build against build is likely to cause unexpected behaviour for users. MIT and Heimdal support different settings in krb5.conf, for example. gsasl also currently doesn't build against heimdal-dev: /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -D_FORTIFY_SOURCE=2 -fvisibility=hidden -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -c -o gss-extra.lo gss-extra.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -D_FORTIFY_SOURCE=2 -fvisibility=hidden -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -c gss-extra.c -fPIC -DPIC -o .libs/gss-extra.o In file included from /usr/include/gssapi.h:39:0, from gss-extra.h:30, from gss-extra.c:28: gss-extra.c:43:9: error: expected identifier or '(' before '' token gss_OID GSS_C_NT_HOSTBASED_SERVICE = tmp; ^ For exactly this reason, cyrus sasl builds modules
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
On Mon, Feb 16, 2015 at 11:38:46PM +0100, Simon Josefsson wrote: On 16/02/15 22:13, Simon Josefsson wrote: It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 On considering solutions, I don't like the unpredictability in depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by the binary libgsasl package in Debian will depend on whether the buildds have Heimdal or MIT installed when you built the package. Coping with different GSS libraries on different architecture sounds like a recipe for disaster. For Jessie, gsasl should be built against the same Kerberos library on all architectures, unless there is a reason not to -- and I don't know of a reason. MIT is picked arbitrarily here. Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) -- any comments? Jelmer, what prompted your initial report? The way I see it, it is important (for us) that you buildds don't have multiple Kerberos development packages installed when they build gsasl. So the old way was the preferred way, causing heimdal-dev to be removed and libkrb5-dev to be pulled in. People with other preferences who build their own packages can surely modify the gsasl package to their liking. I've pushed a fix in git and attmpted to upload to experimental, so you can test the new packages. The main reason for proposing this change was just to make it easier to have heimdal-dev installed while working on other parts of the system. At the moment, building gsasl requires uninstalling a number of packages for me, that indirectly depend on heimdal-dev. With the patch, the intent was to gsasl still build against MIT kerberos - e.g. no change in the binary packages. It merely changed the dependency from libkrb5-dev to libkrb5-multidev, the latter of which doesn't prevent heimdal-dev from being installed. Right -- but the patch also had the consequence of completely disabling GSSAPI in gsasl. Reverting the patch makes GSSAPI work again. FWIW the patch applied to the Debian package was different from the one I provided with the original bug report. (https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0001-Depend-on-krb5-multidev-rather-than-libkrb5-dev.patch;att=1;bug=745332) The upload that closed this bug just changes the dependency from libkrb5-dev to libkrb5-multidev (rather than krb5-multidev) and doesn't set KRB5_CONFIG. (http://anonscm.debian.org/cgit/pkg-xmpp/gsasl.git/commit/?id=1bbeb7bc1e9404daaf1cdef64ec382794a77b217) Anyway, as you say, I can manually patch gsasl if I need to, and at the moment I don't work on any packages that depend on libgsasl-dev. I still think it would be nice to not have gsasl conflict with heimdal-dev, but it's not the end of the world if it doesn't. Maybe libkrb5-dev|heimdal-dev is a better build-dep -- but I don't know what holds for Debian buildds: are they allowed to have some packages pre-installed? If they can never have heimdal-dev installed (or for some other reason prefer heimdal-dev over libkrb5-dev), I don't see a problem using libkrb5-dev|heimdal-dev instead of libkrb5-dev. But if there are no guarantees, I prefer hard-coding libkrb5-dev to avoid linking with different Kerberos libraries depending on Debian architecture. Does anyone know? heimdal and MIT kerberos have enough differences in behaviour that I think allowing to build against build is likely to cause unexpected behaviour for users. MIT and Heimdal support different settings in krb5.conf, for example. gsasl also currently doesn't build against heimdal-dev: /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -D_FORTIFY_SOURCE=2 -fvisibility=hidden -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -c -o gss-extra.lo gss-extra.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -D_FORTIFY_SOURCE=2 -fvisibility=hidden -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall -c gss-extra.c -fPIC -DPIC -o .libs/gss-extra.o In file included from /usr/include/gssapi.h:39:0, from gss-extra.h:30, from gss-extra.c:28: gss-extra.c:43:9: error: expected identifier or '(' before '' token gss_OID GSS_C_NT_HOSTBASED_SERVICE = tmp; ^ For exactly this reason, cyrus sasl builds modules against both heimdal and MIT kerberos (libsasl2-modules-gssapi-heimdal and libsasl2-modules-gssapi-mit). This late in the release cycle, it's probably safest to go back to just depending on libkrb5-dev. Cheers, Jelmer -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 On considering solutions, I don't like the unpredictability in depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by the binary libgsasl package in Debian will depend on whether the buildds have Heimdal or MIT installed when you built the package. Coping with different GSS libraries on different architecture sounds like a recipe for disaster. For Jessie, gsasl should be built against the same Kerberos library on all architectures, unless there is a reason not to -- and I don't know of a reason. MIT is picked arbitrarily here. Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) -- any comments? Jelmer, what prompted your initial report? The way I see it, it is important (for us) that you buildds don't have multiple Kerberos development packages installed when they build gsasl. So the old way was the preferred way, causing heimdal-dev to be removed and libkrb5-dev to be pulled in. People with other preferences who build their own packages can surely modify the gsasl package to their liking. I've pushed a fix in git and attmpted to upload to experimental, so you can test the new packages. /Simon pgpTXn8nmJV3r.pgp Description: OpenPGP digital signatur
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Hi, Jelmer 17.02.2015 0:51, Jelmer Vernooij пишет: On 16/02/15 22:13, Simon Josefsson wrote: It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 [skip] With the patch, the intent was to gsasl still build against MIT kerberos - e.g. no change in the binary packages. It merely changed the dependency from libkrb5-dev to libkrb5-multidev, the latter of which doesn't prevent heimdal-dev from being installed. With Your patch gsasl configure can't find krb5-config. From buildd logs above: configure: checking for GSS implementation (mit) configure: WARNING: MIT Kerberos krb5-config not found, disabling GSSAPI Without patch (1.8.0-4): configure: checking for GSS implementation (mit) configure: trying MIT checking for krb5-config... /usr/bin/krb5-config So binary files are differ: 1.8.0-4 support GSSAPI and 1.6.0-6 - does not support. -- With best wishes Max -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Den Mon, 16 Feb 2015 22:51:26 +0100 skrev Re: Bug#776847: gsasl 1.8.0-6 does not support GSSAPI: On 16/02/15 22:13, Simon Josefsson wrote: It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 On considering solutions, I don't like the unpredictability in depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by the binary libgsasl package in Debian will depend on whether the buildds have Heimdal or MIT installed when you built the package. Coping with different GSS libraries on different architecture sounds like a recipe for disaster. For Jessie, gsasl should be built against the same Kerberos library on all architectures, unless there is a reason not to -- and I don't know of a reason. MIT is picked arbitrarily here. Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) -- any comments? Jelmer, what prompted your initial report? The way I see it, it is important (for us) that you buildds don't have multiple Kerberos development packages installed when they build gsasl. So the old way was the preferred way, causing heimdal-dev to be removed and libkrb5-dev to be pulled in. People with other preferences who build their own packages can surely modify the gsasl package to their liking. I've pushed a fix in git and attmpted to upload to experimental, so you can test the new packages. The main reason for proposing this change was just to make it easier to have heimdal-dev installed while working on other parts of the system. At the moment, building gsasl requires uninstalling a number of packages for me, that indirectly depend on heimdal-dev. With the patch, the intent was to gsasl still build against MIT kerberos - e.g. no change in the binary packages. It merely changed the dependency from libkrb5-dev to libkrb5-multidev, the latter of which doesn't prevent heimdal-dev from being installed. Right -- but the patch also had the consequence of completely disabling GSSAPI in gsasl. Reverting the patch makes GSSAPI work again. Anyway, as you say, I can manually patch gsasl if I need to, and at the moment I don't work on any packages that depend on libgsasl-dev. I still think it would be nice to not have gsasl conflict with heimdal-dev, but it's not the end of the world if it doesn't. Maybe libkrb5-dev|heimdal-dev is a better build-dep -- but I don't know what holds for Debian buildds: are they allowed to have some packages pre-installed? If they can never have heimdal-dev installed (or for some other reason prefer heimdal-dev over libkrb5-dev), I don't see a problem using libkrb5-dev|heimdal-dev instead of libkrb5-dev. But if there are no guarantees, I prefer hard-coding libkrb5-dev to avoid linking with different Kerberos libraries depending on Debian architecture. Does anyone know? Btw, packages have hit experimental, if someone wants to test them. We can look at build logs to see if it enables GSSAPI or not. /Simon Cheers, Jelmer pgpSbqZz2UQGk.pgp Description: OpenPGP digital signatur
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
On 16/02/15 22:13, Simon Josefsson wrote: It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 On considering solutions, I don't like the unpredictability in depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by the binary libgsasl package in Debian will depend on whether the buildds have Heimdal or MIT installed when you built the package. Coping with different GSS libraries on different architecture sounds like a recipe for disaster. For Jessie, gsasl should be built against the same Kerberos library on all architectures, unless there is a reason not to -- and I don't know of a reason. MIT is picked arbitrarily here. Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) -- any comments? Jelmer, what prompted your initial report? The way I see it, it is important (for us) that you buildds don't have multiple Kerberos development packages installed when they build gsasl. So the old way was the preferred way, causing heimdal-dev to be removed and libkrb5-dev to be pulled in. People with other preferences who build their own packages can surely modify the gsasl package to their liking. I've pushed a fix in git and attmpted to upload to experimental, so you can test the new packages. The main reason for proposing this change was just to make it easier to have heimdal-dev installed while working on other parts of the system. At the moment, building gsasl requires uninstalling a number of packages for me, that indirectly depend on heimdal-dev. With the patch, the intent was to gsasl still build against MIT kerberos - e.g. no change in the binary packages. It merely changed the dependency from libkrb5-dev to libkrb5-multidev, the latter of which doesn't prevent heimdal-dev from being installed. Anyway, as you say, I can manually patch gsasl if I need to, and at the moment I don't work on any packages that depend on libgsasl-dev. I still think it would be nice to not have gsasl conflict with heimdal-dev, but it's not the end of the world if it doesn't. Cheers, Jelmer signature.asc Description: OpenPGP digital signature
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Max Kosmach m...@tcen.ru writes: Any news about this ticket? Patch is very simple, please change Build-Depends from krb5-multidev to something like libkrb5-dev | libheimdal-dev I'm happy to make the change and upload a new package if there is consensus that this is the right thing to do. I can't judge myself. /Simon signature.asc Description: PGP signature
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Any news about this ticket? Patch is very simple, please change Build-Depends from krb5-multidev to something like libkrb5-dev | libheimdal-dev -- With best wishes Max -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Package: libgsasl7 Version: 1.8.0-6 Severity: important I think that fix for #745332 was incorrect. krb5-multidev does not contain krb5-config, so configure from gsasl can't find Kerberos via krb5-config and disable GSSAPI support. I think that Build-depends should look line libkrb5-dev | heimdal-dev Please re-enable GSSAPI support. -- With best wishes Max -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org