logo_kerberos.gif

Release Meeting Minutes/2011-06-28

From K5Wiki
< Release Meeting Minutes
Revision as of 13:21, 7 July 2011 by TomYu (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Will Fiveash, Sam Hartman, Greg Hudson, Nathaniel McCallum, Simo Sorce, Zhanna Tsitkova, Tom Yu

Contents

Preauth interface

Greg
Sam, are you OK with incompatible change to preauth interface?
Sam
We did announce it; believe users are few, and we can help them update.
Greg
We don't install the header.
Sam
Oh then we didn't make it public. Only issue remaining is registration. Suspicious that if you need to do something special to get pkinit, something is wrong. Wish preauth interface didn't have to many arguments.

[...]

Greg
Don't like get_data_fn. Concerned that redesign could cause proliferation of calls to get_data_fn...
Greg
What level of guarantee does OTP need for the nonce in the challenge?
Sam
In practice a 3rd party server is involved. Also Nico says replays here aren't too much of a problem.
Greg
My design ... freshness in a time window.
Sam
Would assume clockskew.
Sam
Why do you want to continue generating kvno field?
Greg
No way to tell our encoder to not encode.

Reverse-DNS pain

Tom
Established a test DNS record ptr-mismatch.kerberos.org. It does the obvious thing. Various Debian and Ubuntu bugs updated to reflect things we've discovered.
Greg
Would it break too many people to turn off rdns by default?
Simo
Rarely the case that you have complete control over PTR.
Tom
Anyone remember why we use rdns?
Sam
gethostbyname() implementations that don't forward-canonicalize? (SunOS?)
Will
In Solaris krb5, we have disabled rdns for a long time.
Sam
SunOS4, Ultrix?

Greg will send mail to kerberos list.

Sam
New-setup pain from PTR is enormous.

Test suite

Tom
Fragility of test suite.
Sam
Over the years Dejagnu has had issues.
Tom
Works on Lucid with no special software.
Tom
Buildbot.
Sam
Buildbot can do binary search to find who broke something.
Tom
Hardwired port numbers in our test suite can cause problems with multiple instances of test suite running on same host.
Sam
Tried randomizing; didn't work well. Manually configure a range per test instance.
Will
Observation re our (Oracle/Solaris) internal expect-based tests: can be opaque. Hard to get visibility into what's going on.
Greg
RPC tests are worst for that reason. Python-based tests optimized for debugging.
Tom
Wiki page on test suite updated.

FAST

Will
FAST cookie stuff?
Greg
OTP FAST factor. It's a padata value that client must send in its reply to KDC. Currently no way for preauth mechanism to set cookie. Spec says it's implementation-specific. Problems with that.

Mechglue

Sam
We will be playing with mechglue on Windows.
Greg
Mech provider has to include something that includes internal headers.
Sam
win-mac.h defines a bunch of autoconf symbols. We'll put a lot of it into k5-int.h. Calling conventions inconsistent.
Sam
Mechglue function pointers don't have callconv.
Sam
sysconfdir problems. It's just wrong on Windows.
Personal tools