[Bug 247940] Introduce gssapi=.. in DEFAULT_VERSIONS like for ssl=...

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 07 Sep 2023 20:35:20 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247940

Joseph Mingrone <jrm@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jrm@freebsd.org

--- Comment #5 from Joseph Mingrone <jrm@freebsd.org> ---
Michael,

tl;dr I don't think using Mk/bsd.default-versions.mk for building ports with
different Kerberos implementations is feasible.

For the default versions feature to make sense, we need ports to have
USES=gssapi without specifying a Kerberos implementation.  That way, a value
set for DEFAULT_VERSIONS+=gssapi= can be used, or if that isn't set, we can
fall back to the default of using Kerberos from base.  However, this isn't how
our 58 ports with USES=gssapi currently work.

Twelve ports have USES=gssapi without an OPTION, but they all hardcode the
Kerberos implementation.

Of the remaining ports, the ones that have OPTION knobs for all of the Kerberos
implementations could, in theory, be converted to use a default version, but
there are complications.  For example, many of them require different configure
flags.  For example, here is what we have in
security/cyrus-sasl2-gssapi/Makefile

GSSAPI_HEIMDAL_USES=     gssapi:heimdal,flags
GSSAPI_HEIMDAL_CONFIGURE_ON=    --enable-gssapi="${GSSAPIBASEDIR}" \
                         --with-gss_impl=heimdal

but other ports like security/samba416 have

GSSAPI_HEIMDAL_CONFIGURE_ON=    --with-system-heimdalkrb5 ${GSSAPIBASEDIR}
GSSAPI_HEIMDAL_USES=     gssapi:heimdal
GSSAPI_HEIMDAL_PREVENTS=    AD_DC
GSSAPI_HEIMDAL_PREVENTS_MSG=    GSSAPI_HEIMDAL and AD_DC enable conflicting
options

A workaround is to specify something like this in /etc/make.conf.

.if ${.CURDIR:M*/net/samba*}
WITHOUT=GSSAPI_BUILTIN
WITH=GSSAPI_MIT
.endif

You still have to think about individual ports, but at least you can share this
configuration between systems, and you won't have to go through the
configuration dialogs manually.

I hope this helps.

Joe

-- 
You are receiving this mail because:
You are on the CC list for the bug.