Enable krb5-config auto-detect override in setup.py on FreeBSD

[neirbowj]

a667468 introduced new detection logic to prefer more modern Kerberos libraries from the ports tree over the older Heimdal in base. This is an excellent choice for those who wish to install directly. As the maintainer of the security/py-gssapi port, I need to be able to A) build deterministically, and B) respect the OPTIONs set by a port builder in a way that is insensitive to the state of the build environment. That is, I need to be able to override any auto-detection.

In the current version of the port (1.6.9), I accomplish this by patching setup.py with the absolute path of whatever krb5-config is applicable to the GSSAPI library selected by the port builder ($KRB5CONFIG per the ports machinery).

I will be glad to draft a patch. First, I wanted to get feedback from the project to see if this would be welcome. If not, I can adapt the port-build-time patch to the new code. If so, is there an approach I should prefer/avoid for the purpose of general utility and maintainability? An environment variable, perhaps?

[frozencemetery]

Hi, great to hear from you!

My intent with the current freebsd-specific logic was that the /usr/local krb5-config would be preferred if it were present. This means that it should be possible to use the ancient Heimdal (while still retaining our autodetection logic) by removing /usr/local from $PATH.

If that's broken, or unworkable, I'm happy to discuss alternatives - I wasn't trying to make life harder for you :)

Regarding $KRB5CONFIG: we already have $GSSAPI_LINKER_ARGS and $GSSAPI_COMPILER_ARGS - these theoretically skip calling krb5-config altogether, but we're honestly not very consistent about that, so it wouldn't work for freebsd right now. (This should be fixed.) I wouldn't object to augmenting that with another env var containing the path to krb5-config, but would prefer not to break integrations folks might already have if it's easily avoided.

[frozencemetery]

Oh, while we're here: do you know if there's currently any effort to upgrade FreeBSD's Kerberos, or move to MIT?

[neirbowj]

My intent with the current freebsd-specific logic was that the /usr/local krb5-config would be preferred if it were present.

This makes complete sense to me. It is what I would want to have happen if I were installing via pip or setup.py.

Regarding $KRB5CONFIG: we already have $GSSAPI_LINKER_ARGS and $GSSAPI_COMPILER_ARGS - these theoretically skip calling krb5-config altogether, but we're honestly not very consistent about that, so it wouldn't work for freebsd right now. (This should be fixed.) I wouldn't object to augmenting that with another env var containing the path to krb5-config, but would prefer not to break integrations folks might already have if it's easily avoided.

I'm not 100% sure that an env var is the way to go. I'm hoping to find some prior art elsewhere in the ports tree. If it turns out to be, I'm imagining it would work something like this:

$ pip install /path/to/python-gssapi.git    # autobots^H^H^H^H-detect: roll out!
...
$ env KRB5CONFIG=/place/with/krb5-config pip install /path/to/python-gssapi.git    # no auto-detect

It doesn't hurt my head to have $GSSAPI_*_ARGS override whether krb5-config is even consulted.

do you know if there's currently any effort to upgrade FreeBSD's Kerberos, or move to MIT?

I don't know. I have a vague recollection of a mailing list thread about that some time ago, but cannot readily find it again. FreeBSD's M.O. is to maintain the bare essentials in the base tree (e.g. openssl, openssh, ntpd, etc), updated or patched mainly on a security basis, not for feature releases. All of those projects are also found in the ports tree, which stays pretty close to upstream. BIND used to be in base, but it was replaced by unbound some years ago.

I could work some of my contacts if you would like a more authoritative answer or to lobby in favor up an upgrade.

[neirbowj]

Here is some discussion on freebsd-security@ from 2016 about Heimdal in base. Seems inconclusive.