Page MenuHomeFreeBSD

krb5: use 'kerberos' as package name
ClosedPublic

Authored by ivy on Jul 19 2025, 2:51 AM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Oct 15, 3:54 PM
Unknown Object (File)
Mon, Oct 13, 2:37 PM
Unknown Object (File)
Fri, Oct 10, 3:56 AM
Unknown Object (File)
Fri, Oct 10, 3:56 AM
Unknown Object (File)
Fri, Oct 10, 3:56 AM
Unknown Object (File)
Fri, Oct 10, 3:55 AM
Unknown Object (File)
Thu, Oct 9, 10:44 PM
Unknown Object (File)
Sun, Sep 28, 3:14 AM
Subscribers

Details

Summary

Rename krb5 and krb5-lib to kerberos and kerberos-lib to match the
existing Heimdal package names. Since it's not possible to build or
install both at the same time, and Heimdal will be removed anyway,
there's no benefit to using a different package name for MIT Kerberos
and doing so will create friction for pkgbase users.

Move a few things (e.g., headers) from kerberos to kerberos-lib.

Move the KDC to a new package, kerberos-kdc, so the client utilities
can be installed without the KDC. As most systems won't have the KDC
running, this saves a bit of disk space for jails/containers.

Remove a few instances of 'PACKAGE=' in target-specific Makefiles
where we can set that in the parent's Makefile.inc instead.

The KDC init script is still installed in the 'rc' package for
compatibility with the security/krb5 port; we should fix this
at some point, possibly after Heimdal is removed.

This fixes the WITH_MITKRB5 package build which is currently broken
due to missing release/packages/ucl/krb5-all.ucl (it was missed in the
mechanical conversion as it didn't have an entry in Makefile.package.)

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ivy requested review of this revision.Jul 19 2025, 2:51 AM

fix typo: s/certificates/tickets/

cy requested changes to this revision.Jul 21 2025, 5:01 AM

This will cause confusion for people when referring to the Kerberos packages (Heimdal) and Kerberos packages (MIT KRB5). How do we intend to distinguish between both? The human element will certainly become confused using the same name between both.

Alternatively we can rename the Heimdal Kerberos to Heimdal and use mitkrb5 for the MIT version. But this would have to be MFCed so that we humans speak the same each version of FreeBSD.

This will create more confusion for people.

This revision now requires changes to proceed.Jul 21 2025, 5:01 AM
In D51420#1174685, @cy wrote:

This will cause confusion for people when referring to the Kerberos packages (Heimdal) and Kerberos packages (MIT KRB5). How do we intend to distinguish between both?

i believe that there's no need to distinguish between them. either you build packages with Heimdal, or you build packages with MIT Kerberos. in either case, you expect pkg install FreeBSD-kerberos to install Kerberos; which version you get is determined by how you built the packages.

if it was possible to build a package repository that contained both krb5 and Heimdal, then it would be useful to be able install one or the other, but this is not possible and (as far as i'm aware) will never be possible.

as an example of what i want to fix here, consider someone building a container image that includes Kerberos support. with my change, they can simply install FreeBSD-kerberos in their container and it will work as expected. if we rename the package for MIT Kerberos, then everyone doing this will need to change their build scripts to install FreeBSD-krb5 instead. assuming MIT Kerberos will be the default in 15.0-RELEASE, this breaks everyone's container builds after they upgrade from 14. (a similar argument applies to jails.)

conversely, i can't see any use-case which is enabled by using different package names for Heimdal vs MIT Kerberos.

another argument in favour of not changing the package name is upgrades: after we switch MIT Kerberos to the default, everyone who has FreeBSD-kerberos installed needs to remove it and install FreeBSD-krb5 instead. however, there is no mechanism in pkg(base) to do this automatically, or even notify the user that they need to do so. instead, what will happen is that people will end up with the obsolete/orphaned FreeBSD-kerberos installed on their system, which is going to cause confusion.

now, i accept this is an issue in pkgbase that we should probably fix, but for now it's not fixed, and keeping the same package name avoids this issue entirely.

manu added a subscriber: manu.
In D51420#1174719, @ivy wrote:

another argument in favour of not changing the package name is upgrades: after we switch MIT Kerberos to the default, everyone who has FreeBSD-kerberos installed needs to remove it and install FreeBSD-krb5 instead. however, there is no mechanism in pkg(base) to do this automatically, or even notify the user that they need to do so. instead, what will happen is that people will end up with the obsolete/orphaned FreeBSD-kerberos installed on their system, which is going to cause confusion.

now, i accept this is an issue in pkgbase that we should probably fix, but for now it's not fixed, and keeping the same package name avoids this issue entirely.

I agree on all your points.

In D51420#1174685, @cy wrote:

This will cause confusion for people when referring to the Kerberos packages (Heimdal) and Kerberos packages (MIT KRB5). How do we intend to distinguish between both? The human element will certainly become confused using the same name between both.

Alternatively we can rename the Heimdal Kerberos to Heimdal and use mitkrb5 for the MIT version. But this would have to be MFCed so that we humans speak the same each version of FreeBSD.

This will create more confusion for people.

The problem is even worse for non-pkgbase installs, right? This creates friction for no reason when we need some other discriminator anyways.

dch added a subscriber: dch.

Whichever path is chosen, please align release/tools/oci-image-runtime.conf as well to match FreeBSD-kerberos-lib|FreeBSD-krb5-lib as required, so that the container builds will work.

This revision was not accepted when it landed; it landed in state Needs Revision.Jul 24 2025, 10:34 AM
This revision was automatically updated to reflect the committed changes.