Re: Deprecations in authentication

On Mon, Oct 22, 2012 at 4:24 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> Magnus, all,
>
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> > On Thu, Oct 18, 2012 at 5:59 PM, Robert Haas <robertmhaas(at)gmail(dot)com>
> wrote:
> > > That seems like a sufficiently long deprecation window, but is gssapi
> > > a full substitute for krb5? I don't really have a strong opinion on
> > > this, not being a user myself.
> >
> > I'm pretty sure that it is.
> >
> > Stephen, you usually have comments about the Kerberos stuff - want to
> > comment on this one? :)
>
> The biggest risk that I can think of regarding deprecating krb5 would be
> platforms (if any still exist...) which don't have GSSAPI. Is it
>

I have no idea what platform that would be. Both the standard
implementations of krb5 have supported gssapi since forever. The only
nonstandard environment we support there is Windows, and that one *only*
has support for GSSAPI/SSPI.

> possible to see that from the buildfarm information or from the
> configure results that people have for any strange/different platforms
> out there? The other question would be if we think anyone's actually
>

Well, we can remove it and see if it breaks :)

> using krb5 on those platforms and/or would people in those situations be
> willing/able to move to a different library which supports GSSAPI.
>
> I'm all for deprecating krb5 myself, but I wouldn't want to break things
> for people without good cause.
>
>
It's been deprecated for *years*. This is about removing it.

The cause would be to keep the code clean and less maintenance of security
code in general, is a good thing.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/