Re: Preparing for the Heimdal 7 Release

2016-10-19 Thread Jelmer Vernooij 
On Wed, Oct 19, 2016 at 01:02:43PM -0700, Russ Allbery wrote:
> "Roland C. Dowdeswell"  writes:
> 
> > A team consisting of staff from Two Sigma Open Source and AuriStor
> > is starting the release process for Heimdal version 7.  We have
> > changed the version of the master branch to 6.99.1 which will be
> > considered our beta.  During the beta period, we will be fixing
> > remaining issues.  In addition, we are asking for the community to
> > submit any final patches or bug reports before the 1st of
> > November.
> 
> > We expect to publish the first release candidate on or near the
> > 11th of November.
> 
> That's great news!
> 
> There is some possibility that will be fast enough to allow reintroduction
> of Heimdal into the next stable release of Debian, depending on how fast
> the release candidate process converges in a stable release.  However,
> it's going to have to be fairly quick, since the window for making it into
> a stable release is rapidly closing.
> 
> November 5th is the start of stretch transition freeze, after which major
> transitions have to be coordinated with the release team.  Reintroduction
> of Heimdal will probably not qualify as a transition because Debian is
> currently dropping Heimdal entirely from the distribution.

That's indeed awesome news!

However, like Russ says, the timing isn't great.  We've been asking
for a release for years. If this had happened earlier, that would have
saved a lot of unnecessary work on the Debian side. :-(

We've fortunately got a little bit more leeway now that the freeze was
deferred by two months to allow Linux 4.10 to be included.

The full stretch life cycle is documented at
https://wiki.debian.org/DebianStretch

Brian May and I are the current uploaders for Heimdal in Debian.
Because of the lack of releases, I've been coordinating the removal
from stretch (the next Debian release) the last couple of months.

So far the main thing that's happened is that packages that can build
against either Heimdal or MIT and previously built against Heimdal
have switched over to building against MIT.

Heimdal itself is currently still in stretch, but two packages that
build against *both* MIT and Heimdal - libpam (maintained
by Russ) and libpam-krb5-migrate (maintained by myself) - have dropped
support for Heimdal. Requests are open against OpenLDAP and
cyrus-sasl2 to drop Heimdal support.

If we want to have the option of keeping Heimdal iff a release
happens before mid-December, we need to coordinate with the Debian
release team. As a transition, it should be a lot less daunting now
that most dependencies have been removed. Between Russ and
myself, we can upload all packages that depend on Heimdal.

Cheers,

Jelmer


signature.asc
Description: PGP signature

Re: Preparing for the Heimdal 7 Release

2016-10-19 Thread Quanah Gibson-Mount 
--On Wednesday, October 19, 2016 4:52 PM -0400 "Roland C. Dowdeswell" 
 wrote:



And, again, we aren't quite finished.  Organizations and
individuals wishing to submit changes to Heimdal for this
release are encouraged to do so no later than 1 November 2016.


I raised this ticket at the end of March.  While I don't have any patches 
for it, I am hoping someone does, or has the time to take care of it. 
Without this being fixed, Heimdal is incompatible with the default Kerbeors 
setups on RHEL out of the box:




Thanks,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Preparing for the Heimdal 7 Release

2016-10-19 Thread Jeffrey Hutzelman 
On Wed, 2016-10-19 at 13:02 -0700, Russ Allbery wrote:
> January 5th is the soft freeze, beyond which new packages cannot be
> introduced into Debian stretch.  This is probably the last possible date
> for Heimdal 7 making it into the next Debian stable release.  If there is
> no stable release of Heimdal (with security support) by this point, and
> more realistically several weeks prior to this for people to package it
> (assuming the Heimdal packaging team in Debian is still willing to package
> Heimdal), Debian stable will ship without Heimdal.

I'd really like to avoid that happening.  Last I checked, Heimdal was
being maintained in Debian by Brian May.  If he's no longer interested
in doing so, and assuming we can get a stable release in a timely
fashion, I can probably scare up some cycles to get the packaging in
shape.  Someone else will have to do the uploads, though...

-- Jeff

Re: Preparing for the Heimdal 7 Release

2016-10-19 Thread Russ Allbery 
"Roland C. Dowdeswell"  writes:

>   A team consisting of staff from Two Sigma Open Source and AuriStor
>   is starting the release process for Heimdal version 7.  We have
>   changed the version of the master branch to 6.99.1 which will be
>   considered our beta.  During the beta period, we will be fixing
>   remaining issues.  In addition, we are asking for the community to
>   submit any final patches or bug reports before the 1st of
>   November.

>   We expect to publish the first release candidate on or near the
>   11th of November.

That's great news!

There is some possibility that will be fast enough to allow reintroduction
of Heimdal into the next stable release of Debian, depending on how fast
the release candidate process converges in a stable release.  However,
it's going to have to be fairly quick, since the window for making it into
a stable release is rapidly closing.

November 5th is the start of stretch transition freeze, after which major
transitions have to be coordinated with the release team.  Reintroduction
of Heimdal will probably not qualify as a transition because Debian is
currently dropping Heimdal entirely from the distribution.

January 5th is the soft freeze, beyond which new packages cannot be
introduced into Debian stretch.  This is probably the last possible date
for Heimdal 7 making it into the next Debian stable release.  If there is
no stable release of Heimdal (with security support) by this point, and
more realistically several weeks prior to this for people to package it
(assuming the Heimdal packaging team in Debian is still willing to package
Heimdal), Debian stable will ship without Heimdal.

Note that I just removed the Heimdal PAM module from Debian unstable and
testing with an upload today.  I won't want to reintroduce this until
there is a stable and security-supported release of Heimdal packaged for
Debian.

-- 
Russ Allbery (ea...@eyrie.org)

Preparing for the Heimdal 7 Release

2016-10-19 Thread Roland C. Dowdeswell 
Dear Heimdal Community,

A team consisting of staff from Two Sigma Open Source and AuriStor
is starting the release process for Heimdal version 7.  We have
changed the version of the master branch to 6.99.1 which will be
considered our beta.  During the beta period, we will be fixing
remaining issues.  In addition, we are asking for the community
to submit any final patches or bug reports before the 1st of
November.

We expect to publish the first release candidate on or near the
11th of November.


Why 7?

We are adopting a new versioning scheme.

o  Each feature release will have a new major number.

o  The minor will be a patch level.  A value of 0 is
   reserved for release candidates.  A value of 99 is
   reserved for development.

o  Stable releases will not have a micro number.

o  Micro numbers will be incremented in release candidates
   and development as needed.

For example, the first release candidate will be 7.0.1.  The next
7.0.2, then 7.0.3, etc.  When the final release candidate is
deemed production quality, it will be renumbered as 7.1.
All bug fixes will then be 7.2, 7.3, etc.

New development for Heimdal 8 will be 7.99.1, 7.99.2, 7.99.3, etc.

When the next feature release is issued its version number will
start with 8.0.1 as the first release candidate and the first
release will be 8.1.


What will be in 7?

We have a lot of major improvements since our last official
release, including:

o  hcrypto is now thread safe on all platforms and
   as much as possible hcrypto now uses the operating
   system's preferred crypto implementation ensuring
   that optimized hardware assisted implementations of
   AES-NI are used.

o  RFC 6113 Generalized Framework for Kerberos
   Pre-Authentication (FAST).

o  iprop has been revamped to fix a number of race
   conditions that could lead to inconsistent replication.

o  The KDC process now uses a multi-process model improving
   resiliency and performance.

o  AES Encryption with HMAC-SHA2 for Kerberos 5
   draft-ietf-kitten-aes-cts-hmac-sha2-11


For a more detailed list of changes please see:

https://github.com/heimdal/heimdal/blob/master/NEWS

which contains a bullet point summary of the major security,
feature and bug fix changes that have been applied to the Heimdal
source tree over the last four years since the release of 1.5.3.

The list is currently not complete and we will be reviewing the
git log to add features and bug fixes to the list before we make
the final release.

We expect that the ABI for libgssapi and libkrb5 will be unchanged
from the prior release (1.5.3).  If any differences are discovered
during the release process, we will then fix them if practical
or document the differences in the release notes.

And, again, we aren't quite finished.  Organizations and
individuals wishing to submit changes to Heimdal for this
release are encouraged to do so no later than 1 November 2016.


The release process:

Each release candidate will be given two weeks for testing
and usability feedback.  If a serious bug is uncovered during
the review period then a new release candidate will be issued
once the bug has been fixed.  If after two weeks from candidate
release no new showstopping bugs are uncovered, then the release
candidate will be declared final.

-- 
Roland C. Dowdeswell