krb5: use 'kerberos' as package name
ClosedPublic
Actions

Authored by ivy on Jul 19 2025, 2:51 AM.

Details

Reviewers

des
kevans
cy
manu
cperciva
dfr

Group Reviewers

pkgbase

Commits

rG4cb1baa7d85c: krb5: use 'kerberos' as package name

Summary

Rename krb5 and krb5-lib to kerberos and kerberos-lib to match the
existing Heimdal package names. Since it's not possible to build or
install both at the same time, and Heimdal will be removed anyway,
there's no benefit to using a different package name for MIT Kerberos
and doing so will create friction for pkgbase users.

Move a few things (e.g., headers) from kerberos to kerberos-lib.

Move the KDC to a new package, kerberos-kdc, so the client utilities
can be installed without the KDC. As most systems won't have the KDC
running, this saves a bit of disk space for jails/containers.

Remove a few instances of 'PACKAGE=' in target-specific Makefiles
where we can set that in the parent's Makefile.inc instead.

The KDC init script is still installed in the 'rc' package for
compatibility with the security/krb5 port; we should fix this
at some point, possibly after Heimdal is removed.

This fixes the WITH_MITKRB5 package build which is currently broken
due to missing release/packages/ucl/krb5-all.ucl (it was missed in the
mechanical conversion as it didn't have an entry in Makefile.package.)

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

ivy created this revision.Jul 19 2025, 2:51 AM

Herald added subscribers: jrtc27, imp. · View Herald TranscriptJul 19 2025, 2:51 AM

ivy requested review of this revision.Jul 19 2025, 2:51 AM

Harbormaster completed remote builds in B65576: Diff 158771.Jul 19 2025, 2:51 AM

ivy added a parent revision: D51419: krb5: don't install /usr/include/import_err.h.Jul 19 2025, 2:51 AM

fix typo: s/certificates/tickets/

Harbormaster completed remote builds in B65577: Diff 158772.Jul 19 2025, 2:59 AM

This will cause confusion for people when referring to the Kerberos packages (Heimdal) and Kerberos packages (MIT KRB5). How do we intend to distinguish between both? The human element will certainly become confused using the same name between both.

Alternatively we can rename the Heimdal Kerberos to Heimdal and use mitkrb5 for the MIT version. But this would have to be MFCed so that we humans speak the same each version of FreeBSD.

This will create more confusion for people.

This revision now requires changes to proceed.Jul 21 2025, 5:01 AM

In D51420#1174685, @cy wrote:

This will cause confusion for people when referring to the Kerberos packages (Heimdal) and Kerberos packages (MIT KRB5). How do we intend to distinguish between both?

i believe that there's no need to distinguish between them. either you build packages with Heimdal, or you build packages with MIT Kerberos. in either case, you expect pkg install FreeBSD-kerberos to install Kerberos; which version you get is determined by how you built the packages.

if it was possible to build a package repository that contained both krb5 and Heimdal, then it would be useful to be able install one or the other, but this is not possible and (as far as i'm aware) will never be possible.

as an example of what i want to fix here, consider someone building a container image that includes Kerberos support. with my change, they can simply install FreeBSD-kerberos in their container and it will work as expected. if we rename the package for MIT Kerberos, then everyone doing this will need to change their build scripts to install FreeBSD-krb5 instead. assuming MIT Kerberos will be the default in 15.0-RELEASE, this breaks everyone's container builds after they upgrade from 14. (a similar argument applies to jails.)

conversely, i can't see any use-case which is enabled by using different package names for Heimdal vs MIT Kerberos.

another argument in favour of not changing the package name is upgrades: after we switch MIT Kerberos to the default, everyone who has FreeBSD-kerberos installed needs to remove it and install FreeBSD-krb5 instead. however, there is no mechanism in pkg(base) to do this automatically, or even notify the user that they need to do so. instead, what will happen is that people will end up with the obsolete/orphaned FreeBSD-kerberos installed on their system, which is going to cause confusion.

now, i accept this is an issue in pkgbase that we should probably fix, but for now it's not fixed, and keeping the same package name avoids this issue entirely.

In D51420#1174719, @ivy wrote:

another argument in favour of not changing the package name is upgrades: after we switch MIT Kerberos to the default, everyone who has FreeBSD-kerberos installed needs to remove it and install FreeBSD-krb5 instead. however, there is no mechanism in pkg(base) to do this automatically, or even notify the user that they need to do so. instead, what will happen is that people will end up with the obsolete/orphaned FreeBSD-kerberos installed on their system, which is going to cause confusion.

now, i accept this is an issue in pkgbase that we should probably fix, but for now it's not fixed, and keeping the same package name avoids this issue entirely.

I agree on all your points.

In D51420#1174685, @cy wrote:

This will cause confusion for people when referring to the Kerberos packages (Heimdal) and Kerberos packages (MIT KRB5). How do we intend to distinguish between both? The human element will certainly become confused using the same name between both.

Alternatively we can rename the Heimdal Kerberos to Heimdal and use mitkrb5 for the MIT version. But this would have to be MFCed so that we humans speak the same each version of FreeBSD.

This will create more confusion for people.

The problem is even worse for non-pkgbase installs, right? This creates friction for no reason when we need some other discriminator anyways.

kevans accepted this revision.Jul 22 2025, 5:31 PM

des accepted this revision.Jul 22 2025, 7:16 PM

Whichever path is chosen, please align release/tools/oci-image-runtime.conf as well to match FreeBSD-kerberos-lib|FreeBSD-krb5-lib as required, so that the container builds will work.

dch mentioned this in D51470: release: update oci-image templates after recent krb5 pkgbase changes.Jul 23 2025, 9:17 AM

manu mentioned this in D51481: OCI: Attempt to fix "runtime" container.Jul 24 2025, 7:03 AM

This revision was not accepted when it landed; it landed in state Needs Revision.Jul 24 2025, 10:34 AM

Closed by commit rG4cb1baa7d85c: krb5: use 'kerberos' as package name (authored by ivy). · Explain Why

This revision was automatically updated to reflect the committed changes.

ivy added a commit: rG4cb1baa7d85c: krb5: use 'kerberos' as package name.

ivy removed a parent revision: D51419: krb5: don't install /usr/include/import_err.h.Jul 25 2025, 1:19 PM