Created attachment 869901 [details] emerge --info Heimdal compiles fine, but there are runtime failures: $ kinit user@DOMAIN user@DOMAIN's Password: kinit: rc4 8: EVP_CipherInit_ex einit It seems the yet unreleased version 7.9.0 should support OpenSSL 3. I tried the master branch of the git repo and kinit worked.
I've pinged at https://github.com/heimdal/heimdal/issues/1005#issuecomment-1722235170. Having a broken Heimdal isn't really sustainable, so I guess we could try a snapshot... :|
(In reply to Sam James from comment #1) > I've pinged at > https://github.com/heimdal/heimdal/issues/1005#issuecomment-1722235170. > > Having a broken Heimdal isn't really sustainable, so I guess we could try a > snapshot... :| in fact, while Fedora haven't done a snapshot (and have no patches, so idk how it works for them), Debian has, so yes, let's do that
(In reply to Sam James from comment #2) > in fact, while Fedora haven't done a snapshot (and have no patches, so idk > how it works for them), Debian has, so yes, let's do that I did have a look but couldnt see the Debian openssl-3 patches. Do you have a link?
Debian just took a snapshot AFAICT: * https://salsa.debian.org/debian/heimdal/-/commit/3022e880571eda82c2544dc81934268af8989749 * https://salsa.debian.org/debian/heimdal/-/commit/b0f5a802bbda2e5959a9761c4eb5343192614982 Unfortunately, https://github.com/heimdal/heimdal/pull/1041 is stalled to backport the fixes.
yep exactly. we can also take a snapshot and throw a bunch of patches on top of that and it will kind of work but I wanted to avoid serving "kind of" working software as much as I can. So, I am holding out for now until we dont have any other option. Arguably, we are there now
To me it seems Debian is building without OpenSSL support (https://salsa.debian.org/debian/heimdal/-/blob/master/debian/rules#L49). They took the snapshot because of some security bugs (https://salsa.debian.org/debian/heimdal/-/blob/master/debian/changelog#L37).
yes that will work and is arguably a better option than serving broken software. Some loss of functionality but it's the best we can probably do
yeah, up to you - I think we're definitely at that cliff-edge point and we need to do something; i'm not familiar enough with heimdal to say if it's usable w/o openssl, but a snapshot for this feels a bit scary if we can avoid it
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91af7c9c8b9da614355ab51aef288243db51f5c6 commit 91af7c9c8b9da614355ab51aef288243db51f5c6 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2023-09-19 15:56:12 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2023-09-19 16:04:01 +0000 app-crypt/heimdal: remove openssl support heimdal does not support openssl-3. remove openssl support since openssl-1.1 is EOL. This is not as bad as it sounds since we fall back to heimdal's hcrypto library Closes: https://bugs.gentoo.org/913718 Signed-off-by: Eray Aslan <eras@gentoo.org> app-crypt/heimdal/heimdal-7.8.0-r3.ebuild | 188 ++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+)
