On Thu, Jul 24, 2025 at 11:40:10AM -0700, Cy Schubert wrote: > In message <aij0i9mx7n3-j...@kib.kiev.ua>, Konstantin Belousov writes: > > On Thu, Jul 24, 2025 at 10:34:12AM -0700, Cy Schubert wrote: > > > In message <aijtfpkpppqqq...@kib.kiev.ua>, Konstantin Belousov writes: > > > > On Thu, Jul 24, 2025 at 05:14:15PM +0000, Cy Schubert wrote: > > > > > The branch main has been updated by cy: > > > > > > > > > > URL: > > > > > https://cgit.FreeBSD.org/src/commit/?id=e447c252d0eca8f1440996f2a3 > > 521c > > > > 75c06ae126 > > > > > > > > > > commit e447c252d0eca8f1440996f2a3521c75c06ae126 > > > > > Author: Cy Schubert <c...@freebsd.org> > > > > > AuthorDate: 2025-07-24 16:24:03 +0000 > > > > > Commit: Cy Schubert <c...@freebsd.org> > > > > > CommitDate: 2025-07-24 16:31:40 +0000 > > > > > > > > > > krb5: Merge Heimdal common functions into version maps > > > > > > > > > > Requested by: kib > > > > I do not remember that I ever asked to do this. > > > > More, I do not understand Kerberos to see such details. > > > > > > > > But see below. > > > > > > > > > --- > > > > > krb5/lib/gssapi/version.map | 171 +++++++++--------- > > > > > krb5/lib/krb5/version.map | 430 > > > > > ++++++++++++++++++++++-------------- > > ---- > > > > ---- > > > > > krb5/util/et/version.map | 12 +- > > > > > 3 files changed, 312 insertions(+), 301 deletions(-) > > > > > > > > > > diff --git a/krb5/lib/gssapi/version.map b/krb5/lib/gssapi/version.map > > > > > index bd0d28df70a7..d52c0d3d1e36 100644 > > > > > --- a/krb5/lib/gssapi/version.map > > > > > +++ b/krb5/lib/gssapi/version.map > > > > > @@ -1,3 +1,90 @@ > > > > > +HEIMDAL_GSS_2.0 { > > > > > + global: > > > > > + gss_accept_sec_context; > > > > > + gss_acquire_cred; > > > > > + gss_acquire_cred_with_password; > > > > > + gss_add_buffer_set_member; > > > > > + gss_add_cred; > > > > > + gss_add_cred_with_password; > > > > > + gss_add_oid_set_member; > > > > > + gss_authorize_localname; > > > > > + gss_canonicalize_name; > > > > > + gss_compare_name; > > > > > + gss_context_time; > > > > > + gss_create_empty_buffer_set; > > > > > + gss_create_empty_oid_set; > > > > > + gss_decapsulate_token; > > > > > + gss_delete_name_attribute; > > > > > + gss_delete_sec_context; > > > > > + gss_display_mech_attr; > > > > > + gss_display_name; > > > > > + gss_display_name_ext; > > > > > + gss_display_status; > > > > > + gss_duplicate_name; > > > > > + gss_encapsulate_token; > > > > > + gss_export_cred; > > > > > + gss_export_name; > > > > > + gss_export_name_composite; > > > > > + gss_export_sec_context; > > > > > + gss_get_mic; > > > > > + gss_get_name_attribute; > > > > > + gss_import_cred; > > > > > + gss_import_name; > > > > > + gss_import_sec_context; > > > > > + gss_indicate_mechs; > > > > > + gss_indicate_mechs_by_attrs; > > > > > + gss_init_sec_context; > > > > > + gss_inquire_attrs_for_mech; > > > > > + gss_inquire_context; > > > > > + gss_inquire_cred; > > > > > + gss_inquire_cred_by_mech; > > > > > + gss_inquire_cred_by_oid; > > > > > + gss_inquire_mech_for_saslname; > > > > > + gss_inquire_mechs_for_name; > > > > > + gss_inquire_name; > > > > > + gss_inquire_names_for_mech; > > > > > + gss_inquire_saslname_for_mech; > > > > > + gss_krb5_ccache_name; > > > > > + gss_krb5_copy_ccache; > > > > > + gss_krb5_export_lucid_sec_context; > > > > > + gss_krb5_free_lucid_sec_context; > > > > > + gss_krb5_get_tkt_flags; > > > > > + gss_krb5_import_cred; > > > > > + gss_krb5_set_allowable_enctypes; > > > > > + gss_oid_equal; > > > > > + gss_oid_to_str; > > > > > + gss_pname_to_uid; > > > > > + gss_process_context_token; > > > > > + gss_pseudo_random; > > > > > + gss_release_buffer; > > > > > + gss_release_buffer_set; > > > > > + gss_release_cred; > > > > > + gss_release_iov_buffer; > > > > > + gss_release_name; > > > > > + gss_release_oid; > > > > > + gss_release_oid_set; > > > > > + gss_seal; > > > > > + gss_set_cred_option; > > > > > + gss_set_name_attribute; > > > > > + gss_set_sec_context_option; > > > > > + gss_sign; > > > > > + gss_store_cred; > > > > > + gss_test_oid_set_member; > > > > > + gss_unseal; > > > > > + gss_unwrap; > > > > > + gss_unwrap_iov; > > > > > + gss_userok; > > > > > + gss_verify; > > > > > + gss_verify_mic; > > > > > + gss_wrap; > > > > > + gss_wrap_iov; > > > > > + gss_wrap_iov_length; > > > > > + gss_wrap_size_limit; > > > > > + gsskrb5_extract_authtime_from_sec_context; > > > > > + gsskrb5_extract_authz_data_from_sec_context; > > > > > + krb5_gss_register_acceptor_identity; > > > > > +}; > > > > > + > > > > > gssapi_krb5_2_MIT { > > > > > global: > > > > > GSS_C_ATTR_LOCAL_LOGIN_USER; > > > > > @@ -46,67 +133,14 @@ gssapi_krb5_2_MIT { > > > > > GSS_C_MA_CTX_TRANS; > > > > > GSS_C_MA_NEGOEX_AND_SPNEGO; > > > > > GSS_C_SEC_CONTEXT_SASL_SSF; > > > > > - gss_accept_sec_context; > > > > > - gss_acquire_cred; > > > > > - gss_acquire_cred_with_password; > > > > > gss_acquire_cred_impersonate_name; > > > > > - gss_add_buffer_set_member; > > > > > - gss_add_cred; > > > > > gss_add_cred_impersonate_name; > > > > > - gss_add_cred_with_password; > > > > > - gss_add_oid_set_member; > > > > > - gss_authorize_localname; > > > > > - gss_canonicalize_name; > > > > > - gss_compare_name; > > > > > gss_complete_auth_token; > > > > > - gss_context_time; > > > > > - gss_create_empty_buffer_set; > > > > > - gss_create_empty_oid_set; > > > > > - gss_decapsulate_token; > > > > > - gss_delete_name_attribute; > > > > > - gss_delete_sec_context; > > > > > - gss_display_mech_attr; > > > > > - gss_display_name; > > > > > - gss_display_name_ext; > > > > > - gss_display_status; > > > > > - gss_duplicate_name; > > > > > - gss_encapsulate_token; > > > > > - gss_export_cred; > > > > > - gss_export_name; > > > > > - gss_export_name_composite; > > > > > - gss_export_sec_context; > > > > > - gss_get_mic; > > > > > gss_get_mic_iov; > > > > > gss_get_mic_iov_length; > > > > > - gss_get_name_attribute; > > > > > - gss_import_cred; > > > > > - gss_import_name; > > > > > - gss_import_sec_context; > > > > > - gss_indicate_mechs; > > > > > - gss_init_sec_context; > > > > > - gss_indicate_mechs_by_attrs; > > > > > - gss_inquire_attrs_for_mech; > > > > > - gss_inquire_context; > > > > > - gss_inquire_cred; > > > > > - gss_inquire_cred_by_mech; > > > > > - gss_inquire_cred_by_oid; > > > > > - gss_inquire_mech_for_saslname; > > > > > - gss_inquire_mechs_for_name; > > > > > - gss_inquire_names_for_mech; > > > > > - gss_inquire_saslname_for_mech; > > > > > - gss_inquire_sec_context_by_oid; > > > > > - gss_krb5_ccache_name; > > > > > - gss_krb5_copy_ccache; > > > > > - gss_krb5_export_lucid_sec_context; > > > > > - gss_krb5_free_lucid_sec_context; > > > > > - gss_krb5_get_tkt_flags; > > > > > - gss_krb5_import_cred; > > > > > - gss_krb5_set_allowable_enctypes; > > > > > gss_krb5_set_cred_rcache; > > > > > gss_krb5int_make_seal_token_v3; > > > > > gss_krb5int_unseal_token_v3; > > > > > - gsskrb5_extract_authtime_from_sec_context; > > > > > - gsskrb5_extract_authz_data_from_sec_context; > > > > > gss_localname; > > > > > gss_map_name_to_any; > > > > > gss_mech_iakerb; > > > > > @@ -124,47 +158,16 @@ gssapi_krb5_2_MIT { > > > > > gss_nt_service_name_v2; > > > > > gss_nt_string_uid_name; > > > > > gss_nt_user_name; > > > > > - gss_oid_equal; > > > > > - gss_oid_to_str; > > > > > - gss_pname_to_uid; > > > > > - gss_pseudo_random; > > > > > - gss_process_context_token; > > > > > gss_release_any_name_mapping; > > > > > - gss_release_buffer_set; > > > > > - gss_release_buffer; > > > > > - gss_release_cred; > > > > > - gss_release_iov_buffer; > > > > > - gss_release_name; > > > > > - gss_release_oid; > > > > > - gss_release_oid_set; > > > > > - gss_seal; > > > > > - gss_set_name_attribute; > > > > > gss_set_neg_mechs; > > > > > - gss_set_sec_context_option; > > > > > - gss_sign; > > > > > - gss_store_cred; > > > > > gss_str_to_oid; > > > > > - gss_test_oid_set_member; > > > > > - gss_unseal; > > > > > - gss_unwrap; > > > > > gss_unwrap_aead; > > > > > - gss_unwrap_iov; > > > > > - gss_userok; > > > > > - gss_verify; > > > > > - gss_verify_mic; > > > > > gss_verify_mic_iov; > > > > > - gss_wrap; > > > > > gss_wrap_aead; > > > > > - gss_wrap_iov; > > > > > - gss_wrap_iov_length; > > > > > - gss_wrap_size_limit; > > > > > - gss_set_cred_option; > > > > > gssspi_set_cred_option; > > > > > gssspi_mech_invoke; > > > > > krb5_gss_dbg_client_expcreds; > > > > > - krb5_gss_register_acceptor_identity; > > > > > krb5_gss_use_kdc_context; > > > > > - gss_inquire_name; > > > > > gss_acquire_cred_from; > > > > > gss_add_cred_from; > > > > > gss_store_cred_into; > > > > > > > > This breaks the ABI of _current_ libc on HEAD even more. > > > > Please do bump the dso versions for all libs from kerberos/gss > > > > with same current name as it was in Heimdal time. > > > > > > In other words use Heimdal in the name instead of the names MIT uses? > > > > > > This was certainly short sighted on our part when we put Heimdal in our > > > DSO > > > > > names at the time. > > No. > > > > Just for all libs that have the same name as old heimdal libs, bump > > dso version. Do not rewrite version scripts, if there are vendor-provided > > scripts, patching it locally now would be a maintainence nightmare. > > > > I suspect that there is something unclear in "bump the dso version" > > suggestion. > > Those were bumped from .11 to .121 (for MIT KRB5 1.21). This should have > been evident from the start.
It is absolutely not evident. Then, why did you do the patches against vendor versioning? Unless we have very good reason, we must stick to stock vendor version scripts. When symbol version was added (presumably to not versioned libs), dso version should have been bumped again, if providing strong ABI stability guarantees. But due to all rototiling in version scripts, I suspect we must admit that this is useless now.
