Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Morgan, could you please test 'gsasl' from experimental? It should fix
the GSSAPI issue you reported in #768352. If you can confirm, I can
upload to unstable -- I'm hoping it is possible to fix this before the
release.
On Mon, Feb 16, 2015 at 11:38:46PM +0100, Simon Josefsson wrote:
On 16/02/15 22:13, Simon Josefsson wrote:
It seems clear that the #745332 fix was incorrect. You can see
in the build logs GSSAPI is not enabled since krb5-config isn't
found:
https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018
On considering solutions, I don't like the unpredictability in
depending on libkrb5-dev|libheimdal-dev. The GSSAPI library
used by the binary libgsasl package in Debian will depend on
whether the buildds have Heimdal or MIT installed when you
built the package. Coping with different GSS libraries on
different architecture sounds like a recipe for disaster. For
Jessie, gsasl should be built against the same Kerberos library
on all architectures, unless there is a reason not to -- and I
don't know of a reason. MIT is picked arbitrarily here.
Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded
it) -- any comments? Jelmer, what prompted your initial
report? The way I see it, it is important (for us) that you
buildds don't have multiple Kerberos development packages
installed when they build gsasl. So the old way was the
preferred way, causing heimdal-dev to be removed and
libkrb5-dev to be pulled in. People with other preferences who
build their own packages can surely modify the gsasl package to
their liking.
I've pushed a fix in git and attmpted to upload to
experimental, so you can test the new packages.
The main reason for proposing this change was just to make it
easier to have heimdal-dev installed while working on other parts
of the system. At the moment, building gsasl requires
uninstalling a number of packages for me, that indirectly depend
on heimdal-dev.
With the patch, the intent was to gsasl still build against MIT
kerberos
- e.g. no change in the binary packages. It merely changed the
dependency from libkrb5-dev to libkrb5-multidev, the latter of
which doesn't prevent heimdal-dev from being installed.
Right -- but the patch also had the consequence of completely
disabling GSSAPI in gsasl. Reverting the patch makes GSSAPI work
again.
FWIW the patch applied to the Debian package was different from the
one I provided with the original bug report.
(https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0001-Depend-on-krb5-multidev-rather-than-libkrb5-dev.patch;att=1;bug=745332)
The upload that closed this bug just changes the dependency
from libkrb5-dev to libkrb5-multidev (rather than krb5-multidev)
and doesn't set KRB5_CONFIG.
(http://anonscm.debian.org/cgit/pkg-xmpp/gsasl.git/commit/?id=1bbeb7bc1e9404daaf1cdef64ec382794a77b217)
Yeah, I made a typo in the first upload, and I thought Andreas fixed
that but now that I look I see that the rest of your patch was not
merged. Oops.
Anyway, as you say, I can manually patch gsasl if I need to, and
at the moment I don't work on any packages that depend on
libgsasl-dev. I still think it would be nice to not have gsasl
conflict with heimdal-dev, but it's not the end of the world if
it doesn't.
Maybe libkrb5-dev|heimdal-dev is a better build-dep -- but I don't
know what holds for Debian buildds: are they allowed to have some
packages pre-installed? If they can never have heimdal-dev
installed (or for some other reason prefer heimdal-dev over
libkrb5-dev), I don't see a problem using libkrb5-dev|heimdal-dev
instead of libkrb5-dev. But if there are no guarantees, I prefer
hard-coding libkrb5-dev to avoid linking with different Kerberos
libraries depending on Debian architecture. Does anyone know?
heimdal and MIT kerberos have enough differences in behaviour that I
think allowing to build against build is likely to cause unexpected
behaviour for users. MIT and Heimdal support different settings in
krb5.conf, for example.
gsasl also currently doesn't build against heimdal-dev:
/bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H
-I. -I.. -I../intl -D_FORTIFY_SOURCE=2 -fvisibility=hidden -g -O2
-fstack-protector-strong -Wformat -Werror=format-security -Wall -c -o
gss-extra.lo gss-extra.c libtool: compile: gcc -DHAVE_CONFIG_H -I.
-I.. -I../intl -D_FORTIFY_SOURCE=2 -fvisibility=hidden -g -O2
-fstack-protector-strong -Wformat -Werror=format-security -Wall -c
gss-extra.c -fPIC -DPIC -o .libs/gss-extra.o In file included
from /usr/include/gssapi.h:39:0, from gss-extra.h:30, from
gss-extra.c:28: gss-extra.c:43:9: error: expected identifier or '('
before '' token gss_OID GSS_C_NT_HOSTBASED_SERVICE = tmp; ^
For exactly this reason, cyrus sasl builds modules
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
On Mon, Feb 16, 2015 at 11:38:46PM +0100, Simon Josefsson wrote:
On 16/02/15 22:13, Simon Josefsson wrote:
It seems clear that the #745332 fix was incorrect. You can see in
the build logs GSSAPI is not enabled since krb5-config isn't found:
https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018
On considering solutions, I don't like the unpredictability in
depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by
the binary libgsasl package in Debian will depend on whether the
buildds have Heimdal or MIT installed when you built the package.
Coping with different GSS libraries on different architecture
sounds like a recipe for disaster. For Jessie, gsasl should be
built against the same Kerberos library on all architectures,
unless there is a reason not to -- and I don't know of a reason.
MIT is picked arbitrarily here.
Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) --
any comments? Jelmer, what prompted your initial report? The way I
see it, it is important (for us) that you buildds don't have
multiple Kerberos development packages installed when they build
gsasl. So the old way was the preferred way, causing heimdal-dev
to be removed and libkrb5-dev to be pulled in. People with other
preferences who build their own packages can surely modify the
gsasl package to their liking.
I've pushed a fix in git and attmpted to upload to experimental, so
you can test the new packages.
The main reason for proposing this change was just to make it easier
to have heimdal-dev installed while working on other parts of the
system. At the moment, building gsasl requires uninstalling a number
of packages for me, that indirectly depend on heimdal-dev.
With the patch, the intent was to gsasl still build against MIT
kerberos
- e.g. no change in the binary packages. It merely changed the
dependency from libkrb5-dev to libkrb5-multidev, the latter of which
doesn't prevent heimdal-dev from being installed.
Right -- but the patch also had the consequence of completely disabling
GSSAPI in gsasl. Reverting the patch makes GSSAPI work again.
FWIW the patch applied to the Debian package was different from the one I
provided with the original bug report.
(https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0001-Depend-on-krb5-multidev-rather-than-libkrb5-dev.patch;att=1;bug=745332)
The upload that closed this bug just changes the dependency
from libkrb5-dev to libkrb5-multidev (rather than krb5-multidev)
and doesn't set KRB5_CONFIG.
(http://anonscm.debian.org/cgit/pkg-xmpp/gsasl.git/commit/?id=1bbeb7bc1e9404daaf1cdef64ec382794a77b217)
Anyway, as you say, I can manually patch gsasl if I need to, and at
the moment I don't work on any packages that depend on libgsasl-dev.
I still think it would be nice to not have gsasl conflict with
heimdal-dev, but it's not the end of the world if it doesn't.
Maybe libkrb5-dev|heimdal-dev is a better build-dep -- but I don't know
what holds for Debian buildds: are they allowed to have some packages
pre-installed? If they can never have heimdal-dev installed (or for
some other reason prefer heimdal-dev over libkrb5-dev), I don't see a
problem using libkrb5-dev|heimdal-dev instead of libkrb5-dev. But if
there are no guarantees, I prefer hard-coding libkrb5-dev to avoid
linking with different Kerberos libraries depending on Debian
architecture. Does anyone know?
heimdal and MIT kerberos have enough differences in behaviour that I
think allowing to build against build is likely to cause unexpected
behaviour for users. MIT and Heimdal support different settings in krb5.conf,
for example.
gsasl also currently doesn't build against heimdal-dev:
/bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I..
-I../intl -D_FORTIFY_SOURCE=2 -fvisibility=hidden -g -O2
-fstack-protector-strong -Wformat -Werror=format-security -Wall -c -o
gss-extra.lo gss-extra.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -D_FORTIFY_SOURCE=2
-fvisibility=hidden -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wall -c gss-extra.c -fPIC -DPIC -o .libs/gss-extra.o
In file included from /usr/include/gssapi.h:39:0,
from gss-extra.h:30,
from gss-extra.c:28:
gss-extra.c:43:9: error: expected identifier or '(' before '' token
gss_OID GSS_C_NT_HOSTBASED_SERVICE = tmp;
^
For exactly this reason, cyrus sasl builds modules against both heimdal
and MIT kerberos (libsasl2-modules-gssapi-heimdal and
libsasl2-modules-gssapi-mit).
This late in the release cycle, it's probably safest to go back to just
depending on libkrb5-dev.
Cheers,
Jelmer
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 On considering solutions, I don't like the unpredictability in depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by the binary libgsasl package in Debian will depend on whether the buildds have Heimdal or MIT installed when you built the package. Coping with different GSS libraries on different architecture sounds like a recipe for disaster. For Jessie, gsasl should be built against the same Kerberos library on all architectures, unless there is a reason not to -- and I don't know of a reason. MIT is picked arbitrarily here. Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) -- any comments? Jelmer, what prompted your initial report? The way I see it, it is important (for us) that you buildds don't have multiple Kerberos development packages installed when they build gsasl. So the old way was the preferred way, causing heimdal-dev to be removed and libkrb5-dev to be pulled in. People with other preferences who build their own packages can surely modify the gsasl package to their liking. I've pushed a fix in git and attmpted to upload to experimental, so you can test the new packages. /Simon pgpTXn8nmJV3r.pgp Description: OpenPGP digital signatur
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Hi, Jelmer 17.02.2015 0:51, Jelmer Vernooij пишет: On 16/02/15 22:13, Simon Josefsson wrote: It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 [skip] With the patch, the intent was to gsasl still build against MIT kerberos - e.g. no change in the binary packages. It merely changed the dependency from libkrb5-dev to libkrb5-multidev, the latter of which doesn't prevent heimdal-dev from being installed. With Your patch gsasl configure can't find krb5-config. From buildd logs above: configure: checking for GSS implementation (mit) configure: WARNING: MIT Kerberos krb5-config not found, disabling GSSAPI Without patch (1.8.0-4): configure: checking for GSS implementation (mit) configure: trying MIT checking for krb5-config... /usr/bin/krb5-config So binary files are differ: 1.8.0-4 support GSSAPI and 1.6.0-6 - does not support. -- With best wishes Max -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Den Mon, 16 Feb 2015 22:51:26 +0100 skrev Re: Bug#776847: gsasl 1.8.0-6 does not support GSSAPI: On 16/02/15 22:13, Simon Josefsson wrote: It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 On considering solutions, I don't like the unpredictability in depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by the binary libgsasl package in Debian will depend on whether the buildds have Heimdal or MIT installed when you built the package. Coping with different GSS libraries on different architecture sounds like a recipe for disaster. For Jessie, gsasl should be built against the same Kerberos library on all architectures, unless there is a reason not to -- and I don't know of a reason. MIT is picked arbitrarily here. Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) -- any comments? Jelmer, what prompted your initial report? The way I see it, it is important (for us) that you buildds don't have multiple Kerberos development packages installed when they build gsasl. So the old way was the preferred way, causing heimdal-dev to be removed and libkrb5-dev to be pulled in. People with other preferences who build their own packages can surely modify the gsasl package to their liking. I've pushed a fix in git and attmpted to upload to experimental, so you can test the new packages. The main reason for proposing this change was just to make it easier to have heimdal-dev installed while working on other parts of the system. At the moment, building gsasl requires uninstalling a number of packages for me, that indirectly depend on heimdal-dev. With the patch, the intent was to gsasl still build against MIT kerberos - e.g. no change in the binary packages. It merely changed the dependency from libkrb5-dev to libkrb5-multidev, the latter of which doesn't prevent heimdal-dev from being installed. Right -- but the patch also had the consequence of completely disabling GSSAPI in gsasl. Reverting the patch makes GSSAPI work again. Anyway, as you say, I can manually patch gsasl if I need to, and at the moment I don't work on any packages that depend on libgsasl-dev. I still think it would be nice to not have gsasl conflict with heimdal-dev, but it's not the end of the world if it doesn't. Maybe libkrb5-dev|heimdal-dev is a better build-dep -- but I don't know what holds for Debian buildds: are they allowed to have some packages pre-installed? If they can never have heimdal-dev installed (or for some other reason prefer heimdal-dev over libkrb5-dev), I don't see a problem using libkrb5-dev|heimdal-dev instead of libkrb5-dev. But if there are no guarantees, I prefer hard-coding libkrb5-dev to avoid linking with different Kerberos libraries depending on Debian architecture. Does anyone know? Btw, packages have hit experimental, if someone wants to test them. We can look at build logs to see if it enables GSSAPI or not. /Simon Cheers, Jelmer pgpSbqZz2UQGk.pgp Description: OpenPGP digital signatur
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
On 16/02/15 22:13, Simon Josefsson wrote: It seems clear that the #745332 fix was incorrect. You can see in the build logs GSSAPI is not enabled since krb5-config isn't found: https://buildd.debian.org/status/fetch.php?pkg=gsaslarch=amd64ver=1.8.0-6stamp=1412611018 On considering solutions, I don't like the unpredictability in depending on libkrb5-dev|libheimdal-dev. The GSSAPI library used by the binary libgsasl package in Debian will depend on whether the buildds have Heimdal or MIT installed when you built the package. Coping with different GSS libraries on different architecture sounds like a recipe for disaster. For Jessie, gsasl should be built against the same Kerberos library on all architectures, unless there is a reason not to -- and I don't know of a reason. MIT is picked arbitrarily here. Cc'ing Jelmer (who reported 745332) and Andreas (who uploaded it) -- any comments? Jelmer, what prompted your initial report? The way I see it, it is important (for us) that you buildds don't have multiple Kerberos development packages installed when they build gsasl. So the old way was the preferred way, causing heimdal-dev to be removed and libkrb5-dev to be pulled in. People with other preferences who build their own packages can surely modify the gsasl package to their liking. I've pushed a fix in git and attmpted to upload to experimental, so you can test the new packages. The main reason for proposing this change was just to make it easier to have heimdal-dev installed while working on other parts of the system. At the moment, building gsasl requires uninstalling a number of packages for me, that indirectly depend on heimdal-dev. With the patch, the intent was to gsasl still build against MIT kerberos - e.g. no change in the binary packages. It merely changed the dependency from libkrb5-dev to libkrb5-multidev, the latter of which doesn't prevent heimdal-dev from being installed. Anyway, as you say, I can manually patch gsasl if I need to, and at the moment I don't work on any packages that depend on libgsasl-dev. I still think it would be nice to not have gsasl conflict with heimdal-dev, but it's not the end of the world if it doesn't. Cheers, Jelmer signature.asc Description: OpenPGP digital signature
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Max Kosmach m...@tcen.ru writes: Any news about this ticket? Patch is very simple, please change Build-Depends from krb5-multidev to something like libkrb5-dev | libheimdal-dev I'm happy to make the change and upload a new package if there is consensus that this is the right thing to do. I can't judge myself. /Simon signature.asc Description: PGP signature
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Any news about this ticket? Patch is very simple, please change Build-Depends from krb5-multidev to something like libkrb5-dev | libheimdal-dev -- With best wishes Max -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#776847: gsasl 1.8.0-6 does not support GSSAPI
Package: libgsasl7 Version: 1.8.0-6 Severity: important I think that fix for #745332 was incorrect. krb5-multidev does not contain krb5-config, so configure from gsasl can't find Kerberos via krb5-config and disable GSSAPI support. I think that Build-depends should look line libkrb5-dev | heimdal-dev Please re-enable GSSAPI support. -- With best wishes Max -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
