working long-term with the MIT KRB5 codebase in the AD DC

Jeremy Allison jra at samba.org
Fri Oct 20 18:56:46 UTC 2017 

So there's a tension here between the needs of distro's and the needs
of vendors (I'm considering Catalyst via Andrew as a specific Samba
vendor here).

Distros need Samba to work with the libraries shipped with the distro.
An "upstream first" policy for all dependent libraries is a must.

Vendors need flexibility to add new features to both libraries and
Samba to work with them. That sometimes means prototyping features
and after customer approval getting the changes pushed upstream.

I don't want a fork of MIT. No one wants to fork important security
libraries anymore. I don't want to keep a copy of Heimdal anymore. I
think we can all agree on this :-).

Moving both Heimdal and MIT to a git reference to an external tree is
a good idea.

My guess is the difficulty comes from this statement in Andrew's
email:

> What I propose is:
> - Our build system uses a git reference (via a submodule or otherwise)
> to check out and build MIT krb5
> - In Samba master, this tracks either:
>   - MIT master
>   - a "
> - In Samba release branches this tracks:
>   - the release branch, the released version of MIT krb5 that we will
> support
> - This occur in parallel to the Heimdal build

what we need to determine is what "Samba vendor fork of
MIT in limited circumstances" actually means.

So long as this *doesn't* mean "a copy of MIT in our tree on samba.org"
I hope we can come to some compromise we can agree on.

I see some hope in Andreas's reply here:

>> What I propose is:
>>  - Our build system uses a git reference (via a submodule or otherwise)
>> to check out and build MIT krb5
>
> That's fine just for development!

>>  - In Samba master, this tracks either:
>>    - MIT master
>>    - a Samba vendor fork of MIT in limited circumstances
>
> That's extremly bad! An enterprise distribution will not allow a vendor fork
> of MIT Kerberos. You use what is in the system or not.

Can we get some consensus on what "is fine for development" means
to both of you ?

Andreas, how do you see Andrew being able to add needed features
to AD+MIT to move our MIT implementation forward ?

Andrew, how do you see being able to separate this out from
master so the distros can keep a supported Samba running against
the default shipped and supported crypto libraries ?

Jeremy.

More information about the samba-technical mailing list