Re: Intent to package KerberosV

To: Bear Giles <bear@coyotesong.com>
Cc: olly@lfix.co.uk (Oliver Elphick), Matt.Kern@pobox.com, debian-devel@lists.debian.org, wnpp@debian.org
Subject: Re: Intent to package KerberosV
From: Greg Stark <gsstark@mit.edu>
Date: 22 May 1999 23:44:47 -0400
Message-id: <[🔎] 873e0obgb4.fsf@x2-343.mtl.Generation.NET>
In-reply-to: Bear Giles's message of "Sat, 8 May 1999 11:38:17 -0600 (MDT)"
References: <[🔎] 199905081738.LAA31654@eris.coyotesong.com>

Bear Giles <bear@coyotesong.com> writes:

> My plan, back when I was exploring the idea of a US-only package 
> and/or derived distribution, was to use shared libraries and create 
> a special null Kerberos package which would return error codes, something
> very close to the Kerberos 'bones' package (which is not export restricted).
> The resulting package should be exportable and Kerberos functionality
> would be enabled whenever someone installed the Kerberos packages.

This wouldn't hold water unfortunately. US Crypto export law includes
prohibitting software with hooks "specifically" for crypto. So generic hooks
for arbitrary filters are ok, hooks just for authentication (such as the
fetchmail source) are ok, but binary packages are certain to include calls to
crypto routines, which is verbotten. 

> The second is that both Kerberos and SSLeay use "libcrypto"  Maintainers
> could change the library name expected, but it's a pain.

Uhoh, is this a problem for our existing kerberos 4 packages (that everyone
seems to have forgotten about, hmph.)? I haven't gotten any bug reports about
conflicts with libcrypto and it's definitely included.

> > So far, I haven't considered adding the Kerberos compile options, because
> > of doubt about this and also because no-one has ever asked for it.

I tried to build nonus versions of zephyr and fetchmail with kerberos support
a while back and found our tools just couldn't handle a source package that
could produce different binary packages depending on the whim of the user. 
(This would have been especially neat since libzephyr contains all the
kerberos calls, I could have produced a single libzephyr-i that switched the
behaviour of all the zephyr clients.) 

Alas, my current solution is to just make it really easy for other people to
build their own kerberized packages. To build a kerberized set of zephyr
packages you just do "debian/rules WITHOUT_KRB4= binary" and for fetchmail I
think you can just rebuild with kerbero4kth-dev installed and it dtrt.

This satisfied my immediate needs, I can get my mail and read mit zephyrs, but
doesn't really help the kerberos cause. I do want to get the kerberos pam
module packaged but don't know anything about it myself.

greg

Reply to:

References:
- Re: Intent to package KerberosV
  - From: Bear Giles <bear@coyotesong.com>

Prev by Date: why equivs won't (yet) work for metapackages
Next by Date: Re: Install-time byte-compiling: Why bother?
Previous by thread: Re: Intent to package KerberosV
Next by thread: Re: Intent to package KerberosV
Index(es):
- Date
- Thread