Release Meeting Minutes/2011-06-28
From K5Wiki
Will Fiveash, Sam Hartman, Greg Hudson, Nathaniel McCallum, Simo Sorce, Zhanna Tsitkova, Tom Yu
Preauth interface
- Greg
- Sam, are you OK with incompatible change to preauth interface?
- Sam
- We did announce it; believe users are few, and we can help them update.
- Greg
- We don't install the header.
- Sam
- Oh then we didn't make it public. Only issue remaining is registration. Suspicious that if you need to do something special to get pkinit, something is wrong. Wish preauth interface didn't have to many arguments.
[...]
- Greg
- Don't like get_data_fn. Concerned that redesign could cause proliferation of calls to get_data_fn...
- Greg
- What level of guarantee does OTP need for the nonce in the challenge?
- Sam
- In practice a 3rd party server is involved. Also Nico says replays here aren't too much of a problem.
- Greg
- My design ... freshness in a time window.
- Sam
- Would assume clockskew.
- Sam
- Why do you want to continue generating kvno field?
- Greg
- No way to tell our encoder to not encode.
Reverse-DNS pain
- Tom
- Established a test DNS record
ptr-mismatch.kerberos.org
. It does the obvious thing. Various Debian and Ubuntu bugs updated to reflect things we've discovered. - Greg
- Would it break too many people to turn off rdns by default?
- Simo
- Rarely the case that you have complete control over PTR.
- Tom
- Anyone remember why we use rdns?
- Sam
-
gethostbyname()
implementations that don't forward-canonicalize? (SunOS?) - Will
- In Solaris krb5, we have disabled rdns for a long time.
- Sam
- SunOS4, Ultrix?
Greg will send mail to kerberos list.
- Sam
- New-setup pain from PTR is enormous.
Test suite
- Tom
- Fragility of test suite.
- Sam
- Over the years Dejagnu has had issues.
- Tom
- Works on Lucid with no special software.
- Tom
- Buildbot.
- Sam
- Buildbot can do binary search to find who broke something.
- Tom
- Hardwired port numbers in our test suite can cause problems with multiple instances of test suite running on same host.
- Sam
- Tried randomizing; didn't work well. Manually configure a range per test instance.
- Will
- Observation re our (Oracle/Solaris) internal expect-based tests: can be opaque. Hard to get visibility into what's going on.
- Greg
- RPC tests are worst for that reason. Python-based tests optimized for debugging.
- Tom
- Wiki page on test suite updated.
FAST
- Will
- FAST cookie stuff?
- Greg
- OTP FAST factor. It's a padata value that client must send in its reply to KDC. Currently no way for preauth mechanism to set cookie. Spec says it's implementation-specific. Problems with that.
Mechglue
- Sam
- We will be playing with mechglue on Windows.
- Greg
- Mech provider has to include something that includes internal headers.
- Sam
-
win-mac.h
defines a bunch of autoconf symbols. We'll put a lot of it intok5-int.h
. Calling conventions inconsistent. - Sam
- Mechglue function pointers don't have callconv.
- Sam
- sysconfdir problems. It's just wrong on Windows.