[MacPorts] #36781: cyrus-sasl2: use Heimdal instead of MIT Kerberos on Lion and later
MacPorts
noreply at macports.org
Sun Oct 28 21:12:38 PDT 2012
#36781: cyrus-sasl2: use Heimdal instead of MIT Kerberos on Lion and later
--------------------------+--------------------------------
Reporter: aronnax@… | Owner: macports-tickets@…
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.1.2
Resolution: | Keywords: haspatch
Port: cyrus-sasl2 |
--------------------------+--------------------------------
Comment (by ryandesign@…):
Replying to [comment:2 aronnax@…]:
> * nds2-client: I maintain this port, and its developers say that cyrus-
sasl2 is preferred over the kerberos5 gssapi library. So nds2-client does
not need a direct dependency on kerberos5 or cyrus-sasl2.
Ports that install programs that link with a library need a library
dependency on the port that provides that library. Most of the programs
and libraries installed by the nds2-client port do link with
libgssapi_krb5.2.2.dylib so they do require a library dependency on
kerberos5 (or heimdal, if that would also work).
> * yafc: has a heimdal variant, and it is enabled by default
>
> > There's no particular need to change heimdal's prefix and make it
conflict with kerberos5, is there? That would seem to be a step backwards.
>
> Leaving heimdal in an alternative prefix would not represent a complete
solution. The problem is that ${prefix}/bin/kinit is currently always
provided by the kerberos5 port (MIT Kerberos). As a result, when a
MacPorts user runs kinit, the tickets created by it are not compatible
with Apple's own key store on Lion and Mountain Lion.
>
> If we let heimdal use the main MacPorts installation prefix, have it
conflict with kerberos5, and have ports that need Kerberos support use
kerberos5 on pre-Lion systems and heimdal on post-Lion systems, then
MacPorts applications should work with Apple's key store on all systems.
There are two courses of action that would work:
1. Do as you suggested initially, and require kerberos5 on Snow Leopard
and earlier and heimdal on Lion and later. Modify all ports that use
kerberos5 or heimdal to abide by this edict. Do not offer any variants to
select the kerberos implementation. If it is desirable to make the
kerberos5 and heimdal ports conflicting, then that would be fine. The
kerberos5 and heimdal ports could even be modified so that they refuse to
install on OS X versions not designed for their use. But since many users
of Lion and Mountain Lion do have kerberos5 installed today, and probably
some users of Snow Leopard and earlier have heimdal installed, there must
be a seamless upgrade path that will result in the old port being
deactivated and the new port activated (the "deactivate hack" that we've
used in some other ports).
2. Allow the user to select which kerberos implementation they want.
Offer variants wherever possible. The ports may not be made to conflict in
this case.
--
Ticket URL: <https://trac.macports.org/ticket/36781#comment:3>
MacPorts <http://www.macports.org/>
Ports system for Mac OS
More information about the macports-tickets
mailing list