Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

FLOP:Kerberos V implementations

From Funtoo
Revision as of 19:36, February 6, 2015 by Mgorny (talk | contribs) (FLOP on krb5 impls)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Created on
2015/02/06
Original Author(s)
Mgorny
Status
Pending Review
Reference Bug
FL-2093

Funtoo Linux Optimization Proposal: Kerberos V implementations

Funtoo supports two binary-incompatible Kerberos V implementations: MIT and Heimdal. Ebuilds supporting both need to properly depend on them to ensure rebuilds.

Overview

There are currently two Kerberos V implementations in Funtoo:

  • MIT Kerberos V (No results),
  • Heimdal (No results).

Both implementations use the same library names and a partially compatible API. However, they are binary incompatible and use different (non-colliding) SONAMEs.

Many of Kerberos V applications support both implementations. In this case, the relevant packages depend on No results. Some applications support only one of the implementations, depending on it directly.


Issues with the current solution

Virtuals are based on assumption that the providers can be switched at runtime. However, since the krb5 implementations are binary-incompatible, switching them at runtime is incorrect and results in the reverse dependencies being broken. Instead, implementation switch needs to be followed by automatic reverse dependency rebuild.

Furthermore, the lack of explicit implementation control will be an issue if installing both implementations in parallel becomes possible in the future. This could be desired since there are both packages supporting only mit-krb5, as well as packages supporting only heimdal.


Suggested solution

The simplest solution seems to be introducing a USE flag in all reverse dependencies that support both mit-krb5 and heimdal. The flag would decide which of the two implementation is used.

An example reverse dependency would look like:

   example-1.ebuild
IUSE="heimdal"
RDEPEND="
    heimdal? ( app-crypt/heimdal:0= )
    !heimdal? ( app-crypt/mit-krb5:0= )"

If Kerberos V support is optional, the flags would be combined with the kerberos feature flag:

   example-1.ebuild
IUSE="heimdal kerberos"
RDEPEND="
    kerberos? (
        heimdal? ( app-crypt/heimdal:0= )
        !heimdal? ( app-crypt/mit-krb5:0= )
    )"

This implementation implies that:

  1. user is given an explicit choice of Kerberos V implementation.
  2. Switch of a Kerberos V implementation would cause a rebuild through --changed-use, therefore resolving breakage caused by ABI change.