Bug 954748

Summary:	Impossible to have both mit-krb5 libraries and heimdal libraries installed side-by-side on the same system.
Product:	Gentoo Linux	Reporter:	Giuseppe Foti <foti.giuseppe>
Component:	Current packages	Assignee:	Gentoo Kerberos Maintainers <kerberos>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	eras, flow, foti.giuseppe
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=542462
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	debian 12 file lists

Description Giuseppe Foti 2025-04-26 08:53:18 UTC

In Gentoo we have:
app-crypt/heimdal that is the Kerberos 5 implementation from KTH
app-crypt/mit-krb5 that is the MIT Kerberos V implementation
and a virtual package that is virtual/krb5 that make them to block each other.
So in gentoo we cannot have installed both libraries and when a package depends on a particular implementation, it is blocked if the other implementation is required by a previous installed packages.

To solve this problem, in debian they have 2 more packages:
krb5-multidev https://packages.debian.org/bullseye/krb5-multidev
heimdal-multidev https://packages.debian.org/sid/heimdal-multidev
Those packages provide libraries and headers using two prefixed paths:
/usr/include/mit-krb5/
/usr/include/heimdal/
and can be installed at the same time so other package can depend upon them.
However they still have heimdal-dev and libkrb5-dev that are mutually not compatible on the same system and depend upon their multidev counterpart.
Is it possible to have a similar implementation in gentoo? Has this been discussed before?

Reproducible: Always

Steps to Reproduce:
1. emerge -av1 app-crypt/heimdal app-crypt/mit-krb5

Actual Results:  
 * Error: The above package list contains packages which cannot be
 * installed at the same time on the same system.

  (app-crypt/mit-krb5-1.21.3:0/0::gentoo, binary scheduled for merge) pulled in by
    >=app-crypt/mit-krb5-1.12.1-r1[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_s390_32(-)?,abi_s390_64(-)?] (>=app-crypt/mit-krb5-1.12.1-r1[abi_x86_32(-),abi_x86_64(-)]) required by (virtual/krb5-0-r1:0/0::gentoo, installed) USE="" ABI_X86="32 (64) (-x32)"
    app-crypt/mit-krb5

  (app-crypt/heimdal-7.8.0-r3:0/0::gentoo, ebuild scheduled for merge) pulled in by
    app-crypt/heimdal



In the attached file there are 4 lists generated on a fresh debian 12 installation generated with dpkg-query -l command, to show how this is implemented in debian 12

Comment 1 Giuseppe Foti 2025-04-26 08:54:16 UTC

Created attachment 926208 [details]
debian 12 file lists

Comment 2 Florian Schmaus gentoo-dev

2025-04-27 17:18:47 UTC

This is essentially a request to make app-crypt/mit-krb5 and app-crypt/heimdal installable side-by-side. 

I've talked with Guiseppe and the motivation is that opevas-scanner (in ::gentoo) seems to require mit-krb5 and openvas-smb (not yet in ::gentoo) seems to require heimdal.

Comment 3 Eray Aslan gentoo-dev

2025-04-28 06:24:02 UTC

see #542462. It is a reasonable request that has been asked before. However,

- the work is not just making heimdal and mit-krb5 installable at the same time. We need to make the libraries discoverable as well which basically means touching all the consumers, perhaps choosing a default etc. i.e. it is not a trivial amount of work

- we are understaffed

- I feel that kerberos as a protocol has passed its prime. It feels like a 20th century solution to a 20th century problem - which further decreases the motivation

So, I have not spent time on this. Patches are welcome obviously. If someone steps up to do the work, I'll try to help

Comment 4 Florian Schmaus gentoo-dev

2025-04-28 06:45:52 UTC

(In reply to Eray Aslan from comment #3)
> see #542462. It is a reasonable request that has been asked before.

Thanks for your reply. It is understandable that this may not be achievable in Gentoo. We also first have to verify that the openvas components actually need a particular Kerberos implementation.