Remove MK_GSSAPI
ClosedPublic
Actions

Authored by ivy on Aug 11 2025, 1:15 PM.

Details

Reviewers

cy
imp
jhb
des
emaste
jrm

Group Reviewers

krb5

Commits

rG095e23bfd4c5: RELNOTES: Note WITHOUT_GSSAPI removal (dc5ba6b8b4f0)
rGdc5ba6b8b4f0: Remove MK_GSSAPI

Summary

For MIT Kerberos, MK_GSSAPI has no meaning: GSSAPI is a required part of
Kerberos and is always built if MK_KERBEROS is enabled. Backport this
behaviour to Heimdal so it works the same way.

While here, change Heimdal's libcom_err to be selected by MK_KERBEROS,
not MK_KERBEROS_SUPPORT, since this is part of Kerberos and third-party
users might need it even if Kerberos support is disabled in the base
system. This means MK_KERBEROS_SUPPORT installs the same files with
both MIT and Heimdal.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 66165
Build 63048: arc lint + arc unit

Event Timeline

ivy created this revision.Aug 11 2025, 1:15 PM

Herald added subscribers: ziaee, emaste, imp, bdrewery. · View Herald TranscriptAug 11 2025, 1:15 PM

ivy requested review of this revision.Aug 11 2025, 1:15 PM

Harbormaster completed remote builds in B66161: Diff 160179.Aug 11 2025, 1:15 PM

i intend to follow this with a revamp to OptionalObsoleteFiles for Kerberos that will be much simpler and also more correct. not having to deal with GSSAPI or KERBEROS_SUPPORT makes this a lot easier, both now and in the future.

also switch compile_et from KERBEROS_SUPPORT to KERBEROS in the Heimdal case

Harbormaster completed remote builds in B66162: Diff 160180.Aug 11 2025, 1:24 PM

Please add an UPDATING entry.

add UPDATING entry

also, i'll add a RELNOTES entry if this lands

Harbormaster completed remote builds in B66165: Diff 160184.Aug 11 2025, 2:16 PM

ivy mentioned this in D51853: src.opts.mk: Do not allow WITHOUT_GSSAPI with MIT Kerberos.Aug 11 2025, 2:20 PM

This needs broader discussion on FreeBSD-arch@. Can you open discussion, please? Coming out of that we would know whether to remove MK_GSSAPI or alter the MIT GSSAPI to that end.

cy added reviewers: cy, imp, jhb, des, emaste, jrm.Aug 11 2025, 2:40 PM

I conditionally accept this revision. I don't think MK_GSSAPI makes no sense anymore since we're using the MIT KRB5 GSSAPI as our primary GSSAPI. lib/libgssapi was separate from Heimdal GSSAPI. This allowed us to install GSSAPI for use with other GSS providers not Kerberos. I don't think this holds true today. I'm willing to be convinced otherwise though.

This revision is now accepted and ready to land.Aug 11 2025, 2:50 PM

In D51859#1185120, @cy wrote:

I conditionally accept this revision. I don't think MK_GSSAPI makes no sense anymore since we're using the MIT KRB5 GSSAPI as our primary GSSAPI. lib/libgssapi was separate from Heimdal GSSAPI. This allowed us to install GSSAPI for use with other GSS providers not Kerberos. I don't think this holds true today. I'm willing to be convinced otherwise though.

this was my reasoning as well, but i've posted to arch@ just in case: https://lists.freebsd.org/archives/freebsd-arch/2025-August/000984.html

ivy added a child revision: D51874: OptionalObsoleteFiles: Update Kerberos entries.Aug 12 2025, 2:08 PM

no one on arch@ has objected to this, so i'd like to move forward if possible - ideally we can land this for 15.0 as part of the MIT Kerberos switch.

ivy added commits: rGdc5ba6b8b4f0: Remove MK_GSSAPI, rG095e23bfd4c5: RELNOTES: Note WITHOUT_GSSAPI removal (dc5ba6b8b4f0).Aug 21 2025, 6:01 PM

ivy closed this revision.Aug 21 2025, 6:03 PM