working long-term with the MIT KRB5 codebase in the AD DC
jra at samba.org
Fri Oct 20 18:56:46 UTC 2017
So there's a tension here between the needs of distro's and the needs
of vendors (I'm considering Catalyst via Andrew as a specific Samba
Distros need Samba to work with the libraries shipped with the distro.
An "upstream first" policy for all dependent libraries is a must.
Vendors need flexibility to add new features to both libraries and
Samba to work with them. That sometimes means prototyping features
and after customer approval getting the changes pushed upstream.
I don't want a fork of MIT. No one wants to fork important security
libraries anymore. I don't want to keep a copy of Heimdal anymore. I
think we can all agree on this :-).
Moving both Heimdal and MIT to a git reference to an external tree is
a good idea.
My guess is the difficulty comes from this statement in Andrew's
> What I propose is:
> - Our build system uses a git reference (via a submodule or otherwise)
> to check out and build MIT krb5
> - In Samba master, this tracks either:
> - MIT master
> - a "
> - In Samba release branches this tracks:
> - the release branch, the released version of MIT krb5 that we will
> - This occur in parallel to the Heimdal build
what we need to determine is what "Samba vendor fork of
MIT in limited circumstances" actually means.
So long as this *doesn't* mean "a copy of MIT in our tree on samba.org"
I hope we can come to some compromise we can agree on.
I see some hope in Andreas's reply here:
>> What I propose is:
>> - Our build system uses a git reference (via a submodule or otherwise)
>> to check out and build MIT krb5
> That's fine just for development!
>> - In Samba master, this tracks either:
>> - MIT master
>> - a Samba vendor fork of MIT in limited circumstances
> That's extremly bad! An enterprise distribution will not allow a vendor fork
> of MIT Kerberos. You use what is in the system or not.
Can we get some consensus on what "is fine for development" means
to both of you ?
Andreas, how do you see Andrew being able to add needed features
to AD+MIT to move our MIT implementation forward ?
Andrew, how do you see being able to separate this out from
master so the distros can keep a supported Samba running against
the default shipped and supported crypto libraries ?
More information about the samba-technical