Bug#868640: hdb_generate_key_set_password broke ABI

2017-07-18 Thread Brian May 
Ryan Tandy  writes:

> One possible alternative is renaming the package without actually 
> bumping SONAME; for example libhdb9a. Then you get to re-sync with 
> upstream at the next increment.

The obvious way to do this would be to remove the stupid -heimdal
postfix from these package names (it seemed like a good idea at the
time...). Should I limit this to just the two libraries with known
problems, or all the Heimdal libraries?

However, unfortunately, that would mean the new packages conflict with
the old packages, which is undesirable. Maybe the lesser evil however???

>>I am not particularly keen on maintaining a growing set of patches that
>>maintain backward compatability for eternanity while deliberately
>>breaking compatability with other non-Debian-distributions however.
>
> I think following upstream on this one is the right thing to do. I don't 
> want to create extra work for you, but I do think we should handle this 
> breakage somehow since we know it can happen. If that's best achieved by 
> a change on the openldap side, I'm of course open to that too.

Yes, I much prefer following upstream. Means binaries are more likely to
work across distributions.

I only hope that upstream have finished breaking ABI compatability...
-- 
Brian May

Bug#868640: hdb_generate_key_set_password broke ABI

2017-07-18 Thread Ryan Tandy 

On Tue, Jul 18, 2017 at 08:23:01AM +1000, Brian May wrote:

The problem with bumping the SONAME, is this means that we are forever
out of sync with the upstream SONAME.


One possible alternative is renaming the package without actually 
bumping SONAME; for example libhdb9a. Then you get to re-sync with 
upstream at the next increment.


Random examples: libdkim1d, libmutter0i, various toolchain transitions 
(*c2a, *v5).



A symbols file update would be nice, so future builds of slapd-smbk5pwd
pick up a minimum dependency. If libhdb would add a Breaks on
slapd-smbk5pwd (<< 2.4.44+dfsg-8), that would fix partial upgrades from
the other direction too.


We had a similar issue just before the release of Stretch. See
#848694. Two symbols were removed from the upstream library. Adding
breaks headers was suggested, but the release team strongly disliked
this solution.

We ended up patching these symbols back in.

I am not particularly keen on maintaining a growing set of patches that
maintain backward compatability for eternanity while deliberately
breaking compatability with other non-Debian-distributions however.


I think following upstream on this one is the right thing to do. I don't 
want to create extra work for you, but I do think we should handle this 
breakage somehow since we know it can happen. If that's best achieved by 
a change on the openldap side, I'm of course open to that too.


If you were to perform a transition for heimdal (the package rename 
technique seems like it could apply to libroken as well), we're probably 
at a good point in the release cycle for it...


thanks,
Ryan

Bug#868640: hdb_generate_key_set_password broke ABI

2017-07-17 Thread Brian May 
On 2017-07-18 08:30, Brian May wrote:

> Please read the bull details of 868640 for more information, and for
> details of similar situation that occured before the Stretch
> release. #848694

Apologies for the typo. 

s/bull/full/

Bug#868640: hdb_generate_key_set_password broke ABI

2017-07-17 Thread Brian May 
Hello Debian-Devel!

I have this tricky situation. It appears in 2011, upstream made a change
to Heimdal that broken the shared library ABI, and didn't change the
SONAME.

=== cut ===
commit af011f57fc4ae6e865bab471c20aa9047e4e19d4
Author: Roland C. Dowdeswell 
Date:   Mon Nov 28 15:18:52 2011 +

Provide server side kadm5_chpass_principal_3() with ks_tuple implementation.

We enable kadm5_chpass_principal_3() in the server side of the
library.  The client kadm5 library calls will still return the
error KAMD5_KS_TUPLE_NO_SUPP.

Signed-off-by: Nicolas Williams 
=== cut ===

This change was undetected, and included in Debian in Wheezy, Jessie,
Stretch.

Now Upstream has realized their
error. https://github.com/heimdal/heimdal/issues/246

There response was to restore the ABI to the previous state. This change
is now in testing and unstable.

What should I do? It appears patch the ABI back to the previous state,
and break compatability with other distributions. Or I can keep it as it
and break upgrades.

Please read the bull details of 868640 for more information, and for
details of similar situation that occured before the Stretch
release. #848694
-- 
Brian May

Bug#868640: hdb_generate_key_set_password broke ABI

2017-07-17 Thread Brian May 
Ryan Tandy  writes:

> Right. Unfortunately the different signature was in Debian for a long 
> time (since squeeze, I think). I for one always assumed the change was 
> intentional and it would just stay that way.

Oh, yes, looks like you are right. I thought this was introduced in
Stretch, but looks like Wheezy and Jessie has it too.

> Possibly, yeah. The pedantic answer is this requires a SONAME bump and 
> transition; but that may be overkill in this case. smbk5pwd is for sure 
> the only user in Debian, and I'd be surprised if there are any external 
> users (maybe an occasional user building their own smbk5pwd).

The problem with bumping the SONAME, is this means that we are forever
out of sync with the upstream SONAME.

> A symbols file update would be nice, so future builds of slapd-smbk5pwd 
> pick up a minimum dependency. If libhdb would add a Breaks on 
> slapd-smbk5pwd (<< 2.4.44+dfsg-8), that would fix partial upgrades from 
> the other direction too.

We had a similar issue just before the release of Stretch. See
#848694. Two symbols were removed from the upstream library. Adding
breaks headers was suggested, but the release team strongly disliked
this solution.

We ended up patching these symbols back in.

I am not particularly keen on maintaining a growing set of patches that
maintain backward compatability for eternanity while deliberately
breaking compatability with other non-Debian-distributions however.
-- 
Brian May

Bug#868640: hdb_generate_key_set_password broke ABI

2017-07-17 Thread Ryan Tandy 

Hi Brian,

On Mon, Jul 17, 2017 at 05:53:25PM +1000, Brian May wrote:

Looks like this a fix for a previously undetected regression. i.e. it
changes the signature back to what it should have been. I fix that was
included in 7.4.0, that is now in unstable.

Unfortunately, as stable now has the bad signature, I really have no
idea what to do with this.


Right. Unfortunately the different signature was in Debian for a long 
time (since squeeze, I think). I for one always assumed the change was 
intentional and it would just stay that way.



Suggestions? Maybe I should ask on debian-devel?


Possibly, yeah. The pedantic answer is this requires a SONAME bump and 
transition; but that may be overkill in this case. smbk5pwd is for sure 
the only user in Debian, and I'd be surprised if there are any external 
users (maybe an occasional user building their own smbk5pwd).


A symbols file update would be nice, so future builds of slapd-smbk5pwd 
pick up a minimum dependency. If libhdb would add a Breaks on 
slapd-smbk5pwd (<< 2.4.44+dfsg-8), that would fix partial upgrades from 
the other direction too.


thanks,
Ryan

Bug#868640: hdb_generate_key_set_password broke ABI

2017-07-17 Thread Brian May 
Ryan Tandy  writes:

> In heimdal 7.2.0 the arguments to hdb_generate_key_set_password changed; 
> see https://github.com/heimdal/heimdal/issues/246
>
> I just updated openldap to build against the new (old) signature, but 
> there was no library transition or symbols file update, so things still 
> break in the event of a partial upgrade.
>
> Old slapd-smbk5pwd with new libhdb simply segfaults when the function is 
> called; I haven't tested the reverse but I suspect it would be the same.

Thanks for the report.

Looks like this a fix for a previously undetected regression. i.e. it
changes the signature back to what it should have been. I fix that was
included in 7.4.0, that is now in unstable.

Unfortunately, as stable now has the bad signature, I really have no
idea what to do with this.

Suggestions? Maybe I should ask on debian-devel?
-- 
Brian May

Bug#868640: hdb_generate_key_set_password broke ABI

2017-07-16 Thread Ryan Tandy 

Package: libhdb9-heimdal
Version: 7.4.0.dfsg.1-1
Severity: important
Control: affects -1 slapd-smbk5pwd

Dear maintainer,

In heimdal 7.2.0 the arguments to hdb_generate_key_set_password changed; 
see https://github.com/heimdal/heimdal/issues/246


I just updated openldap to build against the new (old) signature, but 
there was no library transition or symbols file update, so things still 
break in the event of a partial upgrade.


Old slapd-smbk5pwd with new libhdb simply segfaults when the function is 
called; I haven't tested the reverse but I suspect it would be the same.


thanks,
Ryan