Re: longfin missing gssapi_ext.h

Greetings,

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > Yeah, I wouldn't be the least bit surprised if many folks running
> > FreeBSD with any interest in Kerberos have MIT Kerberos installed given
> > that Heimdal doesn't seem to be under any kind of ongoing active
> > development and is just in this maintenance mode.
>
> Yeah, that's a pretty scary situation for security-critical software.

Agreed.

> Maybe we should just desupport Heimdal, rather than investing effort
> to the contrary?

As this is for a new major PG release, I'd be in support of that. I
would like to get the kerberos tests working on a FreeBSD buildfarm
animal with MIT Kerberos installed, if possible.

> Also, the core-code versions of Heimdal in these BSDen are even scarier
> than the upstream releases, so I'm thinking that the fact that we
> currently compile against them is more a net negative than a positive.
> (Same logic as for macOS, really.)

Agreed. Still, I wouldn't go and break it for minor releases, but for a
new major version saying we no longer support Heimdal seems reasonable.
Then folks have the usual 5-ish years (if they want to delay as long as
possible) to move to MIT Kerberos.

> IOW, maybe it'd be okay to de-revert 3d4fa227b and add documentation
> saying that --with-gssapi requires MIT Kerberos not Heimdal.

I'd be happy with that and can add the appropriate documentation noting
that we require MIT Kerberos. Presumably the appropriate step at this
point would be to check with the RMT?

Thanks!

Stephen