pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/databases/postgresql16
Module Name: pkgsrc
Committed By: riastradh
Date: Wed Sep 11 13:29:14 UTC 2024
Modified Files:
pkgsrc/databases/postgresql16: options.mk
Log Message:
databases/postgresql16: Fix krb5 defaults and dependencies.
Currently postgresql16's gssapi option requires mit-krb5. It cannot
be safely linked, e.g. through libpq, into any application that also
links against a non-mit-krb5 libgssapi, such as heimdal as shipped in
NetBSD.
It is generally good to have gssapi support out of the box, since it
is probably the most widely deployed single-sign-on system on the
planet, and we've had it enabled by default for ages. But it is now
incompatible with the default krb5 implementation in NetBSD and
pkgsrc on most platforms. So, unless we can change pgsql to restore
heimdal support, this option has to be off unless you have switched
to mit-krb5 systemwide.
As discussed in this thread:
https://mail-index.netbsd.org/tech-pkg/2024/09/04/msg029866.html
Verified on NetBSD that:
- out of the box, gssapi is disabled by default
- with PKG_OPTIONS.postgresql16+=gssapi, PKG_FAIL_REASON fires
- with KRB5_DEFAULT=mit-krb5, gssapi is enabled by default
Also verified, with and without gssapi, that it builds a libpq.so
that does not link against /usr/lib/libgssapi.so (but with gssapi,
does link against mit-krb5's libgssapi_krb5.so).
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/databases/postgresql16/options.mk
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/databases/postgresql16/options.mk
diff -u pkgsrc/databases/postgresql16/options.mk:1.7 pkgsrc/databases/postgresql16/options.mk:1.8
--- pkgsrc/databases/postgresql16/options.mk:1.7 Thu Aug 15 18:55:27 2024
+++ pkgsrc/databases/postgresql16/options.mk Wed Sep 11 13:29:14 2024
@@ -1,11 +1,24 @@
-# $NetBSD: options.mk,v 1.7 2024/08/15 18:55:27 tnn Exp $
+# $NetBSD: options.mk,v 1.8 2024/09/11 13:29:14 riastradh Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.postgresql16
PKG_SUPPORTED_OPTIONS= bonjour dtrace icu llvm gssapi ldap nls pam lz4
PKG_SUGGESTED_OPTIONS= icu nls lz4
-.if ${OPSYS} != "Linux"
-PKG_SUGGESTED_OPTIONS+= gssapi
-.endif
+
+# XXX This should use ${KRB5_TYPE}, not ${KRB5_DEFAULT:U}. But
+# bsd.prefs.mk isn't guaranteed to define either KRB5_TYPE or
+# KRB5_DEFAULT -- the default value isn't provided by
+# mk/defaults/mk.conf; it's provided by krb5.buildlink3.mk, which pulls
+# in krb5 as a dependency, so we can't include it unless the option is
+# enabled.
+#
+# To break this cycle, we assume nothing uses mit-krb5 by default, and
+# only enable the gssapi option by default if the user or platform has
+# explicitly requested mit-krb5 by setting KRB5_DEFAULT. (This is
+# currently true: krb5.buildlink3.mk rev. 1.14 picks heimdal as the
+# default.)
+#
+# See below about why this is conditional on mit-krb5.
+PKG_SUGGESTED_OPTIONS+= ${"${KRB5_DEFAULT:U}" == "mit-krb5":?gssapi:}
PLIST_VARS+= gssapi llvm nls
@@ -27,11 +40,15 @@ CONFIGURE_ARGS+= --enable-dtrace
# GSSAPI (Kerberos5) authentication for the PostgreSQL backend
.if !empty(PKG_OPTIONS:Mgssapi)
-BUILDLINK_API_DEPENDS.mit-krb5+= mit-krb5>=1.11 # gss_store_cred_into
-# This should be ../mk/krb5.buildlink3.mk. However, that may select
-# security/heimdal as the Kerberos implementation, and it doesn't have
-# gss_store_cred_into().
-. include "../../security/mit-krb5/buildlink3.mk"
+# Currently no released version of heimdal supports
+# gss_store_cred_into:
+# https://github.com/heimdal/heimdal/issues/1258
+# But pgsql requires it now:
+# https://www.postgresql.org/message-id/flat/abcc73d0-acf7-6896-e0dc-f5bc12a61bb1%40postgresql.org
+# So we require mit-krb5 until something changes with either pgsql or
+# heimdal.
+KRB5_ACCEPTED= mit-krb5
+. include "../../mk/krb5.buildlink3.mk"
PLIST.gssapi= yes
CONFIGURE_ARGS+= --with-gssapi
.else
Home |
Main Index |
Thread Index |
Old Index