8000 build: drop Heimdal support, update docs, replace with MIT Kerberos in CI by vszakats · Pull Request #18932 · curl/curl · GitHub
[go: up one dir, main page]
Skip to content

build: drop Heimdal support, update docs, replace with MIT Kerberos in CI #18932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 13 commits into from
Closed

build: drop Heimdal support, update docs, replace with MIT Kerberos in CI #18932

wants to merge 13 commits into from
+62 −136

Conversation

vszakats
Copy link
Member
@vszakats vszakats commented Oct 8, 2025
edited
Loading

The kerberos5 library Heimdal is one of three GSS libraries curl support.
It has a memory leak triggered by the new test in #18917 and the project
seems mostly abandoned.

Drop support and steer users to the MIT krb5 or GNU GSS libraries.

Co-authored-by: Daniel Stenberg

Ref: #18928
Closes #18928

w/o sp https://github.com/curl/curl/pull/18932/files?w=1

@vszakats vszakats marked this pull request as draft October 8, 2025 10:36
@vszakats vszakats mentioned this pull request Oct 8, 2025
Closed
@github-actions github-actions bot added the CI Continuous Integration label Oct 8, 2025
@vszakats vszakats mentioned this pull request Oct 8, 2025
Closed
vszakats added a commit that referenced this pull request Oct 8, 2025
@vszakats
GHA/linux-old: dump logs on configure failure
bbce304 
As done in other jobs, but here tailored to old cmake.

The logs generated by ancient CMake aren't super useful though.

Cherry-picked from #18932
Closes #18948
@vszakats
Copy link
Member Author
vszakats commented Oct 8, 2025

With old CMake + pkg-config, the pre-existing code always found Heimdal, and with that gone, it always fails.

@vszakats vszakats mentioned this pull request Oct 8, 2025
Closed
vszakats added a commit that referenced this pull request Oct 8, 2025
@vszakats
cmake/FindGSS: fix pkg-config fallback logic for CMake <3.16
1f11224 
The documented `<prefix>_<moduleName>_VERSION` variables are empty in
all tested versions since 3.7.2 to 4.1.2. Stop using it as a fallback
for <3.16 versions, and replace with the undocumented, but working,
`FindPkgConfig` internal variable `_pkg_check_modules_pkg_name`. It
contains the module name which was found.

In practice it caused that with CMake <3.16 + `pkg-config`, curl always
detected the Heimdal flavor of GSS.

Also: Delete a fallback version detection method, which was already
marked with a question mark in comments, and used the same, always
empty, CMake variables.

Ref: https://cmake.org/cmake/help/v4.1/module/FindPkgConfig.html
Bug: #18932 (comment)

Closes #18950
@vszakats vszakats force-pushed the dropheimdal branch 2 times, most recently from 5604852 to b73fb6b Compare October 8, 2025 18:12
@vszakats vszakats marked this pull request as ready for review October 8, 2025 18:28
@vszakats
Copy link
Member Author
vszakats commented Oct 8, 2025
edited
Loading

One more snag: On FreeBSD, cmake detects it fine, autotools now fails.

The package flavor is MIT, but Heimdal?:

-- Checking for one of the modules 'gss;mit-krb5-gssapi'
-- FindGSS krb5-config --cflags: -I/usr/include
-- FindGSS krb5-config --libs: -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm
  -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lheimbase -lroken -lcrypt -pthread
-- Found GSS: MIT (found version "FreeBSD heimdal 1.1.0")

https://github.com/curl/curl/actions/runs/18354376870/job/52282444046?pr=18932#step:3:666

vszakats added a commit to vszakats/curl that referenced this pull request Oct 8, 2025
@vszakats
cmake: fix Heimdal detection via krb5-config
3bfcea8 
- fix to not detect Heimdal if a single `H` character appears in
  the vendor string.

- fix to detect Heimdal if the version string contains the word, instead
  of the vendor string (which may be empty, e.g. on FreeBSD)

Cherry-picked from curl#18932
@vszakats vszakats mentioned this pull request Oct 8, 2025
Closed
@vszakats vszakats marked this pull request as draft October 8, 2025 21:13
@vszakats
Copy link
Member Author
vszakats commented Oct 8, 2025
edited
Loading

One more thought after investigating the last snag: Turns out FreeBSD is shipping
with Heimdal Kerberos by default. It comes with a bunch of local patches: https://cgit.freebsd.org/ports/tree/security/heimdal/files
and a version number that doesn't match any heimdal releases (to my eye at least): 1.1.0.
It builds correctly, if let through by the build logic. I don't know if it leaks though.

TL;DR dropping Heimdal may cause some friction on FreeBSD.

After this patch, curl will need krb5-devel (MIT) for Kerberos.

Another option may be to somehow detect and let through this specific flavour.

edit: This package was causing issues earlier because it cannot be detected via pkg-config. And thus cannot be added to curl's .pc file as a dependency without breaking it on FreeBSD.

@vszakats vszakats changed the title cmake: drop Heimdal support, update docs build: drop Heimdal support, update docs Oct 8, 2025
vszakats added a commit that referenced this pull request Oct 8, 2025
@vszakats
cmake: minor Heimdal flavour detection fix
7c021fd 
Do not detect Heimdal if a single `H` character appears in the vendor
string, require the full name: `Heimdal`.

Cherry-picked from #18932
Closes #18951
vszakats added a commit that referenced this pull request Oct 8, 2025
@vszakats
GHA/linux-old: sync terminology with other jobs [ci skip]
9fe8ba5 
Cherry-picked from #18932
@vszakats vszakats mentioned this pull request Oct 8, 2025
Closed
vszakats added a commit that referenced this pull request Oct 8, 2025
@vszakats
cmake/FindGSS: whitespace/formatting
cd7b45a 
Sync format more with the rest of the Find modules.

Cherry-picked from #18932
Closes #18957
@vszakats
cmake: drop support for Heimdal GSS
83d070d 
FindGSS.cmake drop heimdal support
vszakats and others added 10 commits October 9, 2025 02:00
@vszakats
cmake: drop redundant check
d21e613
@vszakats
INTERNALS.md
e20b6fe
@vszakats
INSTALL-CMAKE.md update
8bbc97a
@vszakats
KNOWN_BUGS update
c6d55bd
@vszakats
TODO update
7b939d0
@vszakats
GHA: replace Heimdal with krb5
c92f0cd
@bagder @vszakats
config: drop support for Heimdal 18928
c43bac1 
The kerberos5 library Heimdal is one of three GSS libraries curl support. It has a memory leak triggered by the new test in curl#18917 and the project seems mostly abandoned.

Drop support and steer users to the MIT krb5 or GNU GSS libraries.
@vszakats
configure.ac make it an error
c229fbd
@vszakats
8000 test more
e5394a6
@vszakats
Revert "test more"
c746445 
This reverts commit 3cec48f8e59f848f4d7f77034f71a3f64784850d.
@vszakats vszakats marked this pull request as ready for review October 9, 2025 00:00
@vszakats vszakats changed the title build: drop Heimdal support, update docs build: drop Heimdal support, update docs, replace with MIT Kerberos in CI Oct 9, 2025
@vszakats vszakats closed this in 8be9a26 Oct 9, 2025
@vszakats vszakats deleted the dropheimdal branch October 9, 2025 00:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bagder bagder bagder approved these changes

Assignees
No one assigned
Labels
authentication build CI Continuous Integration cmake
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vszakats @bagder
0