On Fri, 2014-02-28 at 09:03 -0500, Rob Crittenden wrote: > Petr Viktorin wrote: > > On 02/28/2014 12:41 PM, Martin Kosek wrote: > >> On 02/28/2014 10:47 AM, Petr Viktorin wrote: > >>> On 02/27/2014 10:18 PM, Rob Crittenden wrote: > >>>> Rob Crittenden wrote: > >>> [...] > >>>>> Ok, so try to summarize this long-running thread, I'll rename the > >>>>> subpackage to freeipa-server-foreman-smartproxy to make it clearer > >>>>> what > >>>>> it is/does. Right now it requires manual configuration so having the > >>>>> package installed should have no negative impacts (other than > >>>>> potentially pulling in additional dependencies). > >>>>> > >>>>> I'll leave it in smartproxy for now, it's just cleaner and better > >>>>> integrates with ipatests IMHO. > >>>>> > >>>>> Foreman supports SSL client auth which is great, by cherrypy does not > >>>>> yet. There is a pull request to add this, > >>>>> https://bitbucket.org/cherrypy/cherrypy/pull-request/15/added-support-for-client-certificate/activity > >>>>> > >>>>> > >>>>> > >>>>> . Foreman otherwise supports no other authentication method, so we're > >>>>> blocked with this. The certs for this would initially come out of > >>>>> Foreman/puppet. > >>>>> > >>>>> I'll submit a new patch with an updated spec but I think otherwise > >>>>> I've > >>>>> addressed the isuses Petr has raised. This thread has taken a lot of > >>>>> turns so it is very possible I missed something though :-) > >>>> > >>>> Updated patch based on feedback from Foreman team. I added a new URI, > >>>> /features, which Foreman uses to determine what capabilities a proxy > >>>> has. > >>>> > >>>> rob > >>> > >>> My review is blocked because 389-ds doesn't install on Rawhide due to > >>> https://fedorahosted.org/389/ticket/47700 > >>> > >>> Noriko, do you know of a Rawhide build that includes your fix? > >> > >> Guys, if this patch still makes our master branch incompatible with > >> F20, then > >> it is a NACK from me. All developers run on F20, our CI runs on F20 > >> and I do > >> not think we can afford loosing that and forcing everyone to > >> permanently switch > >> to rawhide - it is too unstable. > >> > >> IMO the Requires and BuildRequires most be set so that RPMs are > >> buildable and > >> installable on F20. The only acceptable exception is when only > >> freeipa-server-foreman-smartprox cannot be installed on F20, but > >> otherwise > >> everything else need to work. > >> > >> Thanks, > >> Martin > >> > > > > Okay, it's not a BuildRequires; IPA doesn't build because of a lint > > failure: ipalib/util.py - Module 'kerberos' has no > > 'authGSSClientInquireCred' member > > > > I guess the new get_current_principal needs to be kept out of ipalib > > until we move to f21. Until then we can have a lint exception; after > > then we need to remove it, and add BuildRequires so lint passes. > > > > The other option is to locally rebuild python-kerberos from rawhide in > F-20. Simo was a bit reluctant to put it into F-20 with the patch I > added for authenticate_gss_client_inquire_cred(). We can also work on > convincing him it is low risk.
Or you can simply provide a copr repo with the new build for f20 for the time being ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel