https://k5wiki.kerberos.org/wiki?action=history&feed=atom&title=Release_Meeting_Minutes%2F2014-06-17Release Meeting Minutes/2014-06-17 - Revision history2026-04-30T08:18:39ZRevision history for this page on the wikiMediaWiki 1.27.4https://k5wiki.kerberos.org/wiki?title=Release_Meeting_Minutes/2014-06-17&diff=5329&oldid=prevTomYu: New page: {{minutes|2014}} Tony Acero, Viktor Dukhovni, Will Fiveash, Greg Hudson, Zhanna Tsitkov, Nico Williams, Tom Yu ;Tom: Will, have you seen any DB2 corruption since we fixed the last big bug...2014-06-17T21:18:07Z<p>New page: {{minutes|2014}} Tony Acero, Viktor Dukhovni, Will Fiveash, Greg Hudson, Zhanna Tsitkov, Nico Williams, Tom Yu ;Tom: Will, have you seen any DB2 corruption since we fixed the last big bug...</p>
<p><b>New page</b></p><div>{{minutes|2014}}<br />
Tony Acero, Viktor Dukhovni, Will Fiveash, Greg Hudson, Zhanna Tsitkov, Nico Williams, Tom Yu<br />
<br />
;Tom: Will, have you seen any DB2 corruption since we fixed the last big bug?<br />
<br />
;Will: Haven't asked people yet; will make a note.<br />
<br />
;Greg: Nico, Russ wants to know your preferred JSON lib.<br />
<br />
;Nico: libjq https://github.com/stedolan/jq<br />
<br />
;Nico: Have some changes to Heimdal (not pushed) to do capaths computation. Wanted to call jq from Heimdal, ran into problems with heimbase.<br />
<br />
== Firewalled realms ==<br />
<br />
;Viktor: Various scenarios where users ssh into DMZ machines -- DMZ has no connectivity to origin realm. Get and delegate krbtgt/target@target. Keeps origin creds from leaking into possibly less secure target realm.<br />
<br />
;Viktor: Selected realms get destination TGTs instead of origin TGTs forwarded; alternatively, white list realms that get origin TGTs.<br />
<br />
;Tom: Two pieces<br />
:# list of target realms to which to forward local target TGTs<br />
:# client lib on destination app server -- deal with the weird ccache<br />
<br />
We think identifying the "starting TGT" in a ccache for this situation (client origin realm different from krbtgt/A@A) is helpful, probably using a ccache config entry.<br />
<br />
;Viktor: Java bug -- sometimes picks wrong krbtgt/A@A if there are multiple in cache.<br />
<br />
;Tom: Does hopping realms work? e.g. client@A ssh to DMZ realm B, then ssh to different DMZ realm C that can't talk to B?<br />
<br />
;Viktor: Should work.<br />
<br />
;Greg: Receive side might be better to implement first.<br />
<br />
;Tom: Need to coordinate how to structure the configuration settings.<br />
<br />
== DB2 ==<br />
<br />
;Will: Sent mail re DB2 -- probably haven't seen that kind of corruption since that bug {{bug|5880}} was fixed.</div>TomYu