On Mon, Aug 25, 2025 at 9:09 AM Kyle Evans <[email protected]> wrote: > > CAUTION: This email originated from outside of the University of Guelph. Do > not click links or open attachments unless you recognize the sender and know > the content is safe. If in doubt, forward suspicious emails to > [email protected]. > > On 8/25/25 07:53, Gleb Smirnoff wrote: > > Hi, > > > > On Mon, Aug 25, 2025 at 01:00:07AM -0700, Gleb Smirnoff wrote: > > T> This is an automated email to inform you that the August 2025 > > stabilization week > > T> started with FreeBSD/main at main-n279838-6c45a5dad0a0, which was tagged > > as > > T> main-stabweek-2025-Aug. > > > > This stabilization cycle is expected to be more bumpy than usually. > > > > 1) We got major upgrade - OpenSSL 3.5.1. One known issue is that the legacy > > provider is broken. I believe that KTLS support isn't yet enabled for it? (If so, NFS over TLS wo't work.)
> > > > 2) The default Kerberos now is MIT. We have already checked that a > > Kerberized > > NFS client can migrate from Heimdal to MIT. We did not check Kerberized NFS > > server, but should be fine. I tested the server a couple of days ago and it was fine. > There is no yet an official way to migrate kdc > > from Heimdal to MIT. Yea. One possibility is to install Heimdal-7.8 from ports/packages and then use it to dump the KDC's database in MIT format. (Although Cy seemed to find it didn't work, doing this with the "--decrypt" option might retain the passwords.) I'll give this a try and report back if it worked for me. rick > So, if you are upgrading a machine that is kdc, you need > > WITHOUT_MITKRB5="yes" in your src.conf. > > > > 3) The official pkg repo is now almost empty, see email from Colin [1]. So, > > do > > not rush with 'make delete-old-libs', unless you are ready to build a lot of > > packages yourself. > > > > 4) The unfortunate coincidence with 3) is ABI breakage in the > > setgroups(2)/getgroups(2) syscalls compared to the July stabilization point. > > Some packages would dump core. These packages need to be rebuilt. > > > > This should be mitigated if you have COMPAT_FREEBSD14 enabled? Old packages > would > reference the old compat symbol versions in libc, which should use the > COMPAT_FREEBSD14 > variants of setgroups/getgroups. If you have a pointer to scenarios where > that isn't > the case, that'd be helpful- old packages should be fine in the GENERIC case. > > Thanks, > > Kyle Evans
