[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

krb5: ABI Issue--confirm your packages work against 1.4.3 in experimental

Hi folks.  I've just uploaded Mit Kerberos 1.4.3-1 to experimental.

I'm writing to you because your package links against the main
kerberos library (libkrb53) and I'd like you to confirm that the
Kerberos support in your package still works against this version.

The public ABI and API of MIt Kerberos has been stable since before
Woody was released.  However MIT reserves the right to change symbols
not mentioned in krb5.h (or mentioned only when KRB5_PRIVATE is
defined) at any point in time. New symbols are not added to
KRB5_PRIVATE without an ABI bump.

Unfortunately, some packages end up calling symbols that are private
such as krb5_init_ets().  Many years ago--before krb5 was introduced
into Debian--this was actually a good idea.  however it has been
unnecessary and incorrect for any version of kerberos in Debian.

MIt Kerberos 1.4 apparently marks the first time when MIT has removed
any such symbol.  This can cause packages calling such a symbol to
break at runtime.  That's not good.

The solution to this problem is to remove the call to the private
symbol.  In the case of krb5_init_ets (the common problem), just
remove the call.  In the case of any other symbols, fix the problem if
it is obvious, or ask krbdev@mit.edu for help if it is not.  (I'm on
that list; you could just ask me, but you will be better off asking a
larger list).

I'd appreciate it if you would take the time to see if your package
works against the new Kerberos library.  The easiest way to do this is
to build your package or at least the kerberos using parts of your
package against the new libkrb5-dev package and confirm there are no
warnings about missing prototypes and that your package can
successfully link to libkrb5.

If you do find problems, please upload a version of your package that
fixes the problem (built against the old library) to unstable.  Open a
serious bug tagged as experimental against the krb5 package asking me
to conflict with broken versions of your package.  Be sure to include
the version of your package that has the fix in the bug description.

The above procedure assumes that you don't need functionality from
krb5 1.4 to work around private symbols you are using.  If that ends
up not being the case then talk to me and we'll work something out.

Also, if your package is involved in some sort of transition and has
limited uploading,we'll need to work on timing with the release team.
If for this or any other reason you cannot upload a fix please still
open a bug so I'll know that krb5 1.4 will break your package.

Thanks for your cooperation in making Debian better and helping me
with this transition.

Finally, great thanks to Russ Allbery my co-maintainer for all his
work on the package.

Attachment: pgpp9tdeOW3XI.pgp
Description: PGP signature

Reply to: