Andreas Hasenack <andr...@canonical.com> writes: > I opened #1074775[1] to backport the heimdal patches that add include > and includedir support, filed a couple of salsa PRs[2][3] with tests, > and they were merged. Once there is a new upload of heimdal, we can > consider making this change in kerberos-configs then. What do you think?
I am in favor of making this change. Thank you very much for clearing the blocker in Heimdal. This will, among other things, let me finally address #756880[1]. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756880 The change is not entirely trivial, however. Here are some things that come to mind that we probably need a plan for how to handle: 1. For already-configured systems, should we add the include directive to the existing krb5.conf file? Presumably the answer is yes, or the migration is going to be rather difficult. Is there a correct place in the krb5.conf file to add the include so that we get the correct semantics for whether fragments override the main file or vice versa? Are we going to break anyone's system by suddenly including the fragments? We'll at least need a NEWS.Debian entry; maybe we also need a debconf warning in some situations? 2. With the current logic, it's not possible to guarantee that the include directive has been added, since krb5-config by design doesn't touch a krb5.conf file that's a symlink. That means it's possible to have the latest version of everything installed and still not respect the configuration fragments. Do we just live with this? I'm nervous about moving critical configuration into a fragment when we can't guarantee that the fragment is loaded. In the libpam-krb5 case, this can lead to a security vulnerability. 3. How do dependencies work? This change to krb5-config will require a particular version of Heimdal, since earlier versions don't support include (and will this break Kerberos entirely if the include is present?). But krb5-config can't depend on any specific Kerberos implementation, so I don't know how to represent this as a dependency. And what dependency should a package that wants to use included fragments have to ensure that those included fragments are loaded? -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
