(was Re: OpenSSH HPN) [See https://lists.freebsd.org/pipermail/freebsd-security/2015-November/008747.html for the bits that Dag-Erling skipped] On Fri, 13 Nov 2015, Dag-Erling Sm?rgrav wrote:> Benjamin Kaduk <kaduk at MIT.EDU> writes: > > Things seem to have slowed down a lot since the lead Heimdal developer > > got hired for Apple. [...] MIT employs developers whose job > > descriptions include being the krb5 release manager [...] Heimdal has > > changed plans to a 1.7 release [...] and since the developers in > > question are being paid to work on other things, there is no real > > timeline for the release. > > Given this state of affairs, it might not be unreasonable to consider > switching back for 11. There should be enough time, provided our > Kerberos maintainers have some spare cycles.Well, it's definitely too late for 11, now. But, Debian is preparing to remove their heimdal package entirely, imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728 I also can't find an archive of heimdal-discuss at sics.se that still works (now that gmane is gone), so I'll quote the relevant message from there, below. Maybe we should consider dropping heimdal for 12. -Ben %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: Wed, 14 Sep 2016 14:58:27 -0400 From: Andrew Bartlett <abartlet at samba.org> To: heimdal-discuss at sics.se Subject: Heimdal to be removed from Debian shortly FYI: I'm sorry to say that per: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834654 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728 Heimdal will shortly be removed from Debian. It is the view of those of us involved that inclusion of sensitive security software in the next stable release of Debian needs the normal pattern of maintained upstream releases, not just a git tree to take snapshots from. It is also being eased out of Samba, we will make further decisions once we get a build against MIT krb5 working. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.orgSamba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Begs the question-what impact to FreeBSD distribution or use will US export control laws have, if FreeBSD migrated to MIT Kerberos? -- *Disclaimer:* *As implied by email protocols, the information in this message is not confidential. Any intermediary or recipient may inspect, modify (add), copy, forward, reply to, delete, or filter email for any purpose unless said parties are otherwise obligated. Nothing in this message may be legally binding without cryptographic evidence of its integrity and/or confidentiality.*
<<On Wed, 14 Sep 2016 15:21:46 -0400 (EDT), Benjamin Kaduk <kaduk at MIT.EDU> said:> Well, it's definitely too late for 11, now.> But, Debian is preparing to remove their heimdal package entirely, > imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728The primary issue, so far as I can see, is that Heimdal and MIT were only compatible in the parts of the API that were formally standardized. For those of us who need MIT (to have a working kadmin, for example), that has pretty much always boiled down to completely disabling Heimdal in base (and anything that depends on it, like OpenSSH, pam_krb5, and GSSAPI-authenticated NFS), and installing replacement bits from ports/packages. If we're going to remove Heimdal from base, we should completely deorbit (or disable, as appropriate) all of the things that depend on it, and make sure that there are ports that provide replacement functionality. (AFAIK the only thing missing is gssd, the user-mode side of the authenticated NFS support.) My bet would be that very few FreeBSD users actually take advantage of this support, and unless they're running in an all-FreeBSD or all-Heimdal shop probably have to install MIT Kerberos anyway. Since we're expecting to have packaged base complete for 12.0, having to install a few extra packages (and replace some base packages with ports packages) should not be an imposition, for those people who want Kerberos support, and for many of us it would make fresh installs less of a hassle. Since 11.0 hasn't been released yet, is it within the realm of possibility to officially deprecate Heimdal-in-base before it ships? At this stage all that would involve is putting an announcement in the release notes. -GAWollman (writing as the administrator of the CSAIL.MIT.EDU realm, but still not speaking for MIT)
On Wed, 14 Sep 2016, Garrett Wollman wrote:> <<On Wed, 14 Sep 2016 15:21:46 -0400 (EDT), Benjamin Kaduk <kaduk at MIT.EDU> said: > > > Well, it's definitely too late for 11, now. > > > But, Debian is preparing to remove their heimdal package entirely, > > imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728 >[...]> > Since 11.0 hasn't been released yet, is it within the realm of > possibility to officially deprecate Heimdal-in-base before it ships? > At this stage all that would involve is putting an announcement in the > release notes.If you're going to propose that, asking re@ seems like the right things to do. Adding them to the recipient list... -Ben