Should we continue with Heimdal (was: Re: [PATCH] Some coverity fixes)

Andrew Bartlett abartlet at
Wed May 13 00:23:04 MDT 2015

On Tue, 2015-05-12 at 09:41 +0200, Andreas Schneider wrote:
> The last time I asked for help for development they completely ignored me. So 
> I consider this project dead and will not invest any time in Heimdal. If you 
> still like riding a dead horse instead of going with MIT KRB5 ...


I really don't think that one single mail to heimdal-discuss (as far as
my archives show) is really the best measure to write off an open source
community, but I would agree that Heimdal isn't in the best of states,
much like MIT was in a very poor state when we started this effort, so
many long years ago.

I know this must sound strange, but I really look forward to the day
that you get the MIT Krb5 port finished, and we can just use a solid,
widely distributed system library.  I admire the work done so far, but I
also fear we are still a very long way off, based on the work that was
required for Heimdal.  That is, there were just so many small but 
critical details.

The tests I wrote recently should help a lot however, in ensuring
correctness at least with the KDC protocols.  We need some similar tests
around the GSSAPI layer, for features like DCE_STYLE authentication and
some of the auto-skew handling. 

I think we will continue to have similar challenges when we need small
but critical changes to the library sooner than a RHEL package might
allow, but we can both agree that this isn't a new problem in Free Software.  

However, when we get there, when all the internal and windows-integration
tests pass (and I am confident in your team's abilities that
we will succeed in this eventually), then I would like to seriously discuss if
maintaining two alternate solutions here is really worth the costs
involved, and the risks/benefits of supporting just one, system Kerberos

While it saddens me that we have to go to so much effort to change horses, 
dead or otherwise, I don't fancy riding two of them at the same time in the 
long term. 

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list