673076 – net-analyzer/wireshark - revisit USE=kerberos USE=ssl

Bug 673076 - net-analyzer/wireshark - revisit USE=kerberos USE=ssl

Summary: net-analyzer/wireshark - revisit USE=kerberos USE=ssl

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Holger Hoffstätte

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2018-12-13 16:25 UTC by Jeroen Roovers (RETIRED)
Modified:	2025-02-20 08:42 UTC (History)
CC List:	3 users (show)

See Also:	213705 https://github.com/gentoo/gentoo/pull/40663
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2018-12-13 16:25:37 UTC

src_configure() {
    local mycmakeargs

    # Workaround bug #213705. If krb5-config --libs has -lcrypto then pass
    # --with-ssl to ./configure. (Mimics code from acinclude.m4).
    if use kerberos; then
        case $(krb5-config --libs) in
            *-lcrypto*)
                ewarn "Kerberos was built with ssl support: linkage with openssl is enabled."
                ewarn "Note there are annoying license incompatibilities between the OpenSSL"
                ewarn "license and the GPL, so do your check before distributing such package."
                mycmakeargs+=( -DENABLE_GNUTLS=$(usex ssl) )
                ;;
        esac
    fi

Comment 1 Holger Hoffstätte 2025-01-19 15:44:33 UTC

Sam: any idea what this was about? the mentioned workaround has been in the ebuild since forever but it's not really clear to me what "revisiting" means, what the problem is (if there is one?) and the intended outcome could or should be.

The only issue I can see here could be a contradiction like +kerberos (linked with ssl) but explicitly requested -ssl for wireshark. Not sure if that's worth our time.

Comment 2 Holger Hoffstätte 2025-02-12 10:57:32 UTC

Looking into this some more -

- apparently the intended outcome was to remove the workaround.

- "+kerberos (linked with ssl)" can no longer happen. mit-krb5 guards its ssl dependency with USE=pkinit and uses openssl/libressl headers, but never actually links against the libs and uses its own "native" crypto backend. This means that "krb5-config --libs" will never return "-lssl", effectively rendering the workaround dead code. In theory the external openssl crypto backend could be selected with the --with-crypto-impl option, but the ebuild does not use that at all.

- heimdal is an alternative implementation of kerberos, but unconditionally uses --without-openssl and can therefore also not trigger the condition.

Conclusion: the workaround can be removed with the next update.

Comment 3 Larry the Git Cow gentoo-dev

2025-02-20 08:42:35 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=548b7e724df5bf93b8640ebd5d80a5bd7e5fa288

commit 548b7e724df5bf93b8640ebd5d80a5bd7e5fa288
Author:     Holger Hoffstätte <holger@applied-asynchrony.com>
AuthorDate: 2025-02-20 08:15:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2025-02-20 08:42:03 +0000

    net-analyzer/wireshark: remove obsolete kerberos workaround
    
    Closes: https://bugs.gentoo.org/673076
    Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/wireshark/wireshark-4.4.4.ebuild | 13 -------------
 net-analyzer/wireshark/wireshark-9999.ebuild  | 13 -------------
 2 files changed, 26 deletions(-)