[gentoo-dev] Kerberos questions

[gentoo-dev] Kerberos questions

[Dave Love]

Hello,

I've been slowly going through the packages I use and enabling
kerberos and skey support where possible (openssh, cyrus-sasl, 
etc.).  I'd like to submit the appropriate ebuild patches so 
this can end up in the base, but I have a questions about 
kerberos and dependencies first.


1. I've added/defined 3 new USE variables:  kerberos4, kerberos5 and 
skey.


2. Each version of kerberos can be provided by more than one
package, so I've created 2 new virtual packages by adding
PROVIDE lines as follows:

app-crypt/krb5 and app-crypt/heimdal:

 PROVIDE="virtual/kerberos5 virtual/kerberos4"

app-crypt/kth-krb:

 PROVIDE="virtual/kerberos4"


3. I've then started adding new dependencies for the various
utilities, such as cyrus-sasl:

dev/libs/cyrus-sasl/cyrus-sasl-1.5.27-r1.ebuild:

  DEPEND="... kerberos4? ( virtual/kerberos4 ) kerberos5? ( virtual/kerberos5 )"

  src_compile() {
    local myconf
    use kerberos4 && myconf="${myconf} --enable-krb4"
    use kerberos4 || myconf="${myconf} --disable-krb4"
    use kerberos5 && myconf="${myconf} --enable-gssapi"
    use kerberos5 || myconf="${myconf} --disable-gssapi"
    ...

Am I on the right track here?  It seems to work, but I want to
make certain I'm headed in the right direction before I go much
further.

Thanks,

 Dave Love

Re: [gentoo-dev] Kerberos questions

[Jano Lukac]

Groovy on the kerberos stuff!  Finally someone else interested in it :)

Quick thing.. why the skey use?  And isn't kerberos 4 "outdated" now, so
almost as if saying, "why bother" ?

Dave Love said:
<snip>

> 3. I've then started adding new dependencies for the various
> utilities, such as cyrus-sasl:
>
> dev/libs/cyrus-sasl/cyrus-sasl-1.5.27-r1.ebuild:
>
>  DEPEND="... kerberos4? ( virtual/kerberos4 ) kerberos5? (
>  virtual/kerberos5 )"
>
>  src_compile() {
>    local myconf
>    use kerberos4 && myconf="${myconf} --enable-krb4"
>    use kerberos4 || myconf="${myconf} --disable-krb4"
>    use kerberos5 && myconf="${myconf} --enable-gssapi"
>    use kerberos5 || myconf="${myconf} --disable-gssapi"


I think you might be able to shorten this  to the use foo && bar || that,
but probably kills the readability and might cause a line wrap *shrug*.
BTW, with the above, I'm assuming you can have both kerberos 4 and 5
compiled into sasl (but I think I remember you cannot).


>    ...
>
> Am I on the right track here?  It seems to work, but I want to
> make certain I'm headed in the right direction before I go much
> further.

Looks like it.  If kerberos 4 and 5 cannot coexist, then make a single
virtual depend, or just don't do the virtual depend.

jano

Re: [gentoo-dev] Kerberos questions

[Dave Love]

On Tue, May 07, 2002 at 09:13:45AM -0700, Jano Lukac wrote:
> 
> Groovy on the kerberos stuff!  Finally someone else interested in it :)
> 
> Quick thing.. why the skey use?  And isn't kerberos 4 "outdated" now, so
> almost as if saying, "why bother" ?

Good question.  I'm personally only interested in K5, but since both are
included in the portage tree, I figured I might as well deal with both at
the same time.  The more I get into it though, the more I realize that 
testing it here is going to be a major pain, so I'll probably just leave 
the kerberos4 stuff for someone that needs it.

The skey stuff is simply to satisfy my own curiousity.

<snip>
> >    use kerberos4 && myconf="${myconf} --enable-krb4"
> >    use kerberos4 || myconf="${myconf} --disable-krb4"
> >    use kerberos5 && myconf="${myconf} --enable-gssapi"
> >    use kerberos5 || myconf="${myconf} --disable-gssapi"
> 
> 
> I think you might be able to shorten this  to the use foo && bar || that,
> but probably kills the readability and might cause a line wrap *shrug*.

I saw both forms used in various ebuilds and wasn't sure if there was a 
standard or not, so I just opted for the more legible of the two.

> BTW, with the above, I'm assuming you can have both kerberos 4 and 5
> compiled into sasl (but I think I remember you cannot).

Enabling k4 and k5 in sasl works just fine here: since I don't have k4 
installed, the configure script automatically disabled it.  Oops. ;-)
Yet another reason to leave the k4 stuff for someone who needs it.

> > Am I on the right track here?  It seems to work, but I want to
> > make certain I'm headed in the right direction before I go much
> > further.
> 
> Looks like it.  If kerberos 4 and 5 cannot coexist, then make a single
> virtual depend, or just don't do the virtual depend.

Good point.  I think I still need the virtual depend for kerberos5 since 
it can come from either the heimdal or krb5 packages, but there's no
reason to create 2 virtual packages for k4 and k5.

So I'm down to virtual/kerberos and the USE flag 'kerberos5'.

> jano

Thanks for the feedback!

 - Dave

Re: [gentoo-dev] Kerberos questions

[jboyens]

Kerberos 4 support is VERY important... Some of us work at large universities
whose budget/infrastructure doesn't allow for Kerb5 upgrade...

Good work, BTW. :)
--
JR Boyens
jboyens@iastate.edu

On Tue, May 07, 2002 at 09:13:45AM -0700, Jano Lukac wrote:
> 
> Groovy on the kerberos stuff!  Finally someone else interested in it :)
> 
> Quick thing.. why the skey use?  And isn't kerberos 4 "outdated" now, so
> almost as if saying, "why bother" ?
> 
> Dave Love said:
> <snip>
> 
> > 3. I've then started adding new dependencies for the various
> > utilities, such as cyrus-sasl:
> >
> > dev/libs/cyrus-sasl/cyrus-sasl-1.5.27-r1.ebuild:
> >
> >  DEPEND="... kerberos4? ( virtual/kerberos4 ) kerberos5? (
> >  virtual/kerberos5 )"
> >
> >  src_compile() {
> >    local myconf
> >    use kerberos4 && myconf="${myconf} --enable-krb4"
> >    use kerberos4 || myconf="${myconf} --disable-krb4"
> >    use kerberos5 && myconf="${myconf} --enable-gssapi"
> >    use kerberos5 || myconf="${myconf} --disable-gssapi"
> 
> 
> I think you might be able to shorten this  to the use foo && bar || that,
> but probably kills the readability and might cause a line wrap *shrug*.
> BTW, with the above, I'm assuming you can have both kerberos 4 and 5
> compiled into sasl (but I think I remember you cannot).
> 
> 
> >    ...
> >
> > Am I on the right track here?  It seems to work, but I want to
> > make certain I'm headed in the right direction before I go much
> > further.
> 
> Looks like it.  If kerberos 4 and 5 cannot coexist, then make a single
> virtual depend, or just don't do the virtual depend.
> 
> jano
> 
> 
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev
> 

Re: [gentoo-dev] Kerberos questions

[Dave Love]

On Tue, May 07, 2002 at 06:15:15PM -0500, jboyens@fooninja.org wrote:
> Kerberos 4 support is VERY important... Some of us work at large universities
> whose budget/infrastructure doesn't allow for Kerb5 upgrade...

I've gotten a few emails to this effect, so how about this:

I'll make each of the three Kerberos packages (kth-krb, krb5 and heimdal) 
provide "virtual/kerberos" and assume that only one will ever be installed
at any given time.  I'll add support for the USE flags 'kerberos4' and 
'kerberos5' with the stated provision that only one should be specified 
at any time.  I don't think I can enforce that, but I hope to create a 
basic Kerberos HOWTO for the gentoo site that will at least warn against it.

I'm going to convert one machine here to kerberos4 (kth-krb) and make certain
everything at least compiles correctly.  I won't have the ability to do much, 
if any, distributed testing of k4 though.  

If any kerberos users would be willing to try the updated ebuild files, it'd 
be a great help in making sure I've got this down.  

Also, if anyone knows of any packages that should be updated to enable kerberos
support, I'd be happy to update their ebuilds.  Just let me know.

> Good work, BTW. :)

Thanks!  Credit really goes to the gentoo folks though.  This distribution 
makes it very easy to do this kind of thing.

 - Dave

Re: [gentoo-dev] Kerberos questions

[Thilo Bangert]

> I'll make each of the three Kerberos packages (kth-krb, krb5 and
> heimdal) provide "virtual/kerberos" and assume that only one will
> ever be installed at any given time.

you could use a RDEPEMD="!virtual/keberos" to prevent a user to install 
multiple keberi(?)

-- 
regards
Thilo