Jeffrey Altman <jalt...@secure-endpoints.com> writes: > Background on this test failure. > > The reason that the Heimdal 7.5.0 tests began to fail after they > previously succeeded is because the failing test relies upon an X.509 > certificate that expired on March 4 2019. > > Then post 7.5.0 support was added to support OpenSSL 1.1 which included > the ability to handle certificates with expiration dates post 19 Jan > 2038 03:14:07 UTC. > > Heimdal also updated the test suite certificates to last 500 years. > These certificates work fine on platforms with 64-bit time_t but on > platforms such as Debian Linux i386 where time_t is 32-bit, the tests > will fail. > > There has been no code change to Heimdal and there is no intention to > replace the use of time_t within Heimdal for a Heimdal specific time > integer type within the Heimdal 7.x series. Making such a change would > alter not only APIs but ABIs. Its unclear when or if we could make such > a change for the same reasons that Debian cannot alter the size of > time_t on i386.
To me it really sounds like Heimdal is dropping support for 32 bit architectures then. However Debian doesn't have the luxury of being able to drop the 32 bit version of Heimdal, just for the sake of a faulty test. Particularly when existing versions have known security issues. To solve this for the immediate short term, I am seriously considering disabling all 6 tests that are failing (see patch below). This in turn will solve the FTBFS bug, and allow us to solve the security issues (which are probably more important then the tests). Hopefully this in turn will get accepted into Buster. Does this problem affect Heimdal versions < 7.5.0? It sounds like these version should be fine (thinking of Jessie and Stretch security updates here). === cut === From: Brian May <b...@debian.org> Date: Wed, 22 May 2019 17:19:48 +1000 Subject: Disable tests that are failing due to expired cert See https://bugs.debian.org/923930 --- lib/hx509/Makefile.am | 3 --- tests/kdc/Makefile.am | 3 --- 2 files changed, 6 deletions(-) diff --git a/lib/hx509/Makefile.am b/lib/hx509/Makefile.am index bd71225..2880676 100644 --- a/lib/hx509/Makefile.am +++ b/lib/hx509/Makefile.am @@ -220,10 +220,7 @@ PROGRAM_TESTS = \ test_expr SCRIPT_TESTS = \ - test_ca \ test_cert \ - test_chain \ - test_cms \ test_crypto \ test_nist \ test_nist2 \ diff --git a/tests/kdc/Makefile.am b/tests/kdc/Makefile.am index 57b8f9a..b4f3d77 100644 --- a/tests/kdc/Makefile.am +++ b/tests/kdc/Makefile.am @@ -27,13 +27,10 @@ SCRIPT_TESTS = \ check-fast \ check-kadmin \ check-hdb-mitdb \ - check-kdc \ - check-kdc-weak \ check-keys \ check-kpasswdd \ check-pkinit \ check-referral \ - check-tester \ check-uu TESTS = $(SCRIPT_TESTS) === cut === -- Brian May <b...@debian.org>
