Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

krb5: 1.15.2 -> 1.17 #56182

Merged
merged 2 commits into from Mar 7, 2019
Merged

krb5: 1.15.2 -> 1.17 #56182

merged 2 commits into from Mar 7, 2019

Conversation

dtzWill
Copy link
Member

@dtzWill dtzWill commented Feb 22, 2019

Motivation for this change

Not sure why this is so far behind, bump to latest release.

Review/testing requested-- will be doing at least basic build testing
but help appreciated beyond that :).

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@dtzWill
Copy link
Member Author

dtzWill commented Feb 22, 2019

kerberos tests exist, not sure how to ask borg to run them (nixos/tests/kerberos/mit.nix ?).

@vcunat
Copy link
Member

vcunat commented Feb 22, 2019

Staging changes will be probably too tough for Borg to complete.

@vcunat
Copy link
Member

vcunat commented Feb 22, 2019

BTW, for other cases see the Borg's README: https://github.com/NixOS/ofborg#test-added-2017-11-24

@vcunat
Copy link
Member

vcunat commented Feb 22, 2019

I checked nixos.tests.kerberos.{mit,heimdal}.{x86_64,aarch64}-linux atop c7a1b77.

@dtzWill
Copy link
Member Author

dtzWill commented Feb 22, 2019 via email

@vcunat
Copy link
Member

vcunat commented Feb 22, 2019

I just merged staging to -next and there are almost no binaries yet – if you think it's worth it, this could be merged directly there (but soon if so, like today).

@vcunat
Copy link
Member

vcunat commented Feb 22, 2019

In particular, the next staging iteration might not make it to 19.03.

@dtzWill
Copy link
Member Author

dtzWill commented Feb 22, 2019 via email

@vcunat
Copy link
Member

vcunat commented Feb 22, 2019

👍 let's wait, at least until we confirm there's something important in the changes.

@dtzWill dtzWill merged commit 3893afe into NixOS:staging Mar 7, 2019
@dtzWill dtzWill deleted the update/krb5-1.17 branch March 7, 2019 21:00
@dtzWill
Copy link
Member Author

dtzWill commented Mar 7, 2019

(19.03 has branched off)

@kamidon
Copy link
Contributor

kamidon commented Apr 24, 2019

I'd like to advocate for backporting this to 19.03. I've got a mixed environment of machines running 19.03 (for some servers, including my KDC) and unstable (mostly for workstations). User auth is handled using keys and certificates on Yubikeys. In this environment, freshness tokens provide some significant additional security and I'd like to require them. However, I can't do that without having everything run 1.17 and I'd prefer not to move all my machines to unstable. I've successfully overridden just the kerberos packages in 19.03 and that seems to work but taking that approach requires a mass rebuild on every change to 19.03 because (I think) the curl in stdenv has a dependency on these libraries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants