> Package: evolution
> Version: 2.0.3-1
> Severity: important
>
> While looking for reverse-dependencies of the krb4 package to consider
> whether it can be removed from testing to fix an RC bug, I found that the
> evolution binaries on i386 are linked against libkrb5-17-heimdal and
> libkrb-1-kerberos4kth, but this is not the case on other platforms; it
> appears the i386 binaries were built in an environment where kerberos
> libraries were installed, and evolution automatically detected these
> libraries at build time.
>
> Kerberos 4, in particular, is a dead technology used only by non-standard
> services, and the protocol contains various known security holes. The
> Debian Kerberos FAQ recommends not implementing Kerberos 4 unless there is
> specific user demand. Please fix the source package so that it does not
> link against random libraries at build time, by either adding a
> Build-Conflict line or by passing the necessary arguments to evolution's
> configure script.
>
> Thanks,
> --
> Steve Langasek
> postmodern programmer
I'm sorry I didn't notice this earlier. One of the "non-standard
services" using Kerberos 4, is old legacy mail servers, in particular
at universities, which is probably why Ximian put it in Evolution in
the first place. I really can't see why plain text authentication
over the wire (which it _does_ support) is to be preferred over
Kerberos 4 authentication. I do, however, see other reasons as to why
it would be good to get rid of Kerberos 4 in Debian, but I'm not going
to discuss that here.
First of all, the old woody evolution 1.0.5-1woody2 supported
Kerberos authentication (although only Kerberos 4) by specifically
adding a Build-Depends on libkrb5-dev. Somewhere along the line - I
_think_ it was in the Evolution 1.4 sid releases - this was changed to
heimdal-dev and with that support for Kerberos 5 via GSSAPI.
Now, heimdal-dev will automatically bring in kerberos4kth-dev - by
adding a Build-Conflicts against kerberos4kth-dev you are effectively
forbidding linking against Heimdal Kerberos 5. I don't know the
specific reasons as to why heimdal-dev brings in kerberos4kth-dev - the
maintainers probably have good reasons for this.
Going from 1.4 to 2.0 in sid, the heimdal-dev Build-Depends was
silently dropped - I've reported this in #278242 although, as you
noticed, the maintainer binary upload of the i386 package was still
built against heimdal-dev.
Yes, this is a mess, so let's just summarize:
1.0.5 woody: krb5-dev, Kerberos 4 works
1.4: heimdal-dev, GSSAPI works as do Kerberos 4
2.0 pre 285908: none, GSSAPI and Kerberos 4 only works on i386
2.0 post 285908: none whatsoever
The _only_ reason _I_ use Evolution is that it supports some sort of
Kerberos authentication. Or at least it used to do. AFAIK, it was
also the only mail client in woody that did that. In sarge, the only
mail client that supports GSSAPI, AFAIK, is Mutt (which doesn't in
woody). So basically, some users are going to be disappointed. (Well,
I love Mutt, but my users certainly don't...)
My _proposal_, if we really want to get rid of Kerberos 4 support in
Evolution 2.0, is this:
diff -Naur evolution-2.0.4/debian/control evolution-2.0.4.fixed/debian/control
--- evolution-2.0.4/debian/control 2005-03-18 08:53:28.484408588 +0100
+++ evolution-2.0.4.fixed/debian/control 2005-03-18 08:53:02.945960213
+0100
@@ -2,8 +2,8 @@
Section: gnome
Priority: optional
Maintainer: Takuo KITAME <[EMAIL PROTECTED]>
-Build-Depends: bison, intltool (>= 0.28-2), debhelper (>= 4.2.21),
libgal2.2-dev (>= 2.2.5), gtkhtml3.2 (>= 3.2.5), libgtkhtml3.2-dev (>= 3.2.5),
libbonoboui2-dev (>= 2.4.2), libldap2-dev (>= 2.0.23), libgnome2-dev (>= 2.6),
libnss-dev (>= 2:1.7), scrollkeeper, psmisc, libsoup2.2-dev (>= 2.2.1-1),
libpam-dev, gnome-common, autotools-dev (>= 20030717.1), libgnome-pilot2-dev,
evolution-data-server-dev (>= 1.0.4), automake1.7, libgail-dev (>= 1.4.1),
libcompfaceg1-dev, gnome-icon-theme (>= 1.2.0), cdbs, libdb4.2-dev
-Build-Conflicts: evolution-data-server (<< 1.0.0), evolution1.5,
kerberos4kth-dev
+Build-Depends: bison, intltool (>= 0.28-2), debhelper (>= 4.2.21),
libgal2.2-dev (>= 2.2.5), gtkhtml3.2 (>= 3.2.5), libgtkhtml3.2-dev (>= 3.2.5),
libbonoboui2-dev (>= 2.4.2), libldap2-dev (>= 2.0.23), libgnome2-dev (>= 2.6),
libnss-dev (>= 2:1.7), scrollkeeper, psmisc, libsoup2.2-dev (>= 2.2.1-1),
libpam-dev, gnome-common, autotools-dev (>= 20030717.1), libgnome-pilot2-dev,
evolution-data-server-dev (>= 1.0.4), automake1.7, libgail-dev (>= 1.4.1),
libcompfaceg1-dev, gnome-icon-theme (>= 1.2.0), cdbs, libdb4.2-dev, heimdal-dev
+Build-Conflicts: evolution-data-server (<< 1.0.0), evolution1.5
Standards-Version: 3.6.1.0
Package: evolution
diff -Naur evolution-2.0.4/debian/rules evolution-2.0.4.fixed/debian/rules
--- evolution-2.0.4/debian/rules 2005-03-18 08:53:28.484408588 +0100
+++ evolution-2.0.4.fixed/debian/rules 2005-03-18 08:52:16.595221181 +0100
@@ -33,7 +33,7 @@
--without-openssl-libs \
--disable-gtk-doc \
--enable-pilot-conduits \
- --with-krb4=/usr \
+ --without-krb4 \
--with-krb5=/usr \
--enable-ipv6 \
--disable-openssl \
However, I will not reopen #285908 since I'm afraid of stepping on too
many toes, and there might be other reasons as to why Kerberos 5 GSSAPI
support is dropped in the Debian edition of Evolution (such as
incompatible licenses, instability or whatever).
-ukh
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
