Bear Giles <[EMAIL PROTECTED]> writes: > My plan, back when I was exploring the idea of a US-only package > and/or derived distribution, was to use shared libraries and create > a special null Kerberos package which would return error codes, something > very close to the Kerberos 'bones' package (which is not export restricted). > The resulting package should be exportable and Kerberos functionality > would be enabled whenever someone installed the Kerberos packages.
This wouldn't hold water unfortunately. US Crypto export law includes prohibitting software with hooks "specifically" for crypto. So generic hooks for arbitrary filters are ok, hooks just for authentication (such as the fetchmail source) are ok, but binary packages are certain to include calls to crypto routines, which is verbotten. > The second is that both Kerberos and SSLeay use "libcrypto" Maintainers > could change the library name expected, but it's a pain. Uhoh, is this a problem for our existing kerberos 4 packages (that everyone seems to have forgotten about, hmph.)? I haven't gotten any bug reports about conflicts with libcrypto and it's definitely included. > > So far, I haven't considered adding the Kerberos compile options, because > > of doubt about this and also because no-one has ever asked for it. I tried to build nonus versions of zephyr and fetchmail with kerberos support a while back and found our tools just couldn't handle a source package that could produce different binary packages depending on the whim of the user. (This would have been especially neat since libzephyr contains all the kerberos calls, I could have produced a single libzephyr-i that switched the behaviour of all the zephyr clients.) Alas, my current solution is to just make it really easy for other people to build their own kerberized packages. To build a kerberized set of zephyr packages you just do "debian/rules WITHOUT_KRB4= binary" and for fetchmail I think you can just rebuild with kerbero4kth-dev installed and it dtrt. This satisfied my immediate needs, I can get my mail and read mit zephyrs, but doesn't really help the kerberos cause. I do want to get the kerberos pam module packaged but don't know anything about it myself. greg