Preparing for the Heimdal 7 Release

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Preparing for the Heimdal 7 Release

Roland C. Dowdeswell-2
Dear Heimdal Community,

        A team consisting of staff from Two Sigma Open Source and AuriStor
        is starting the release process for Heimdal version 7.  We have
        changed the version of the master branch to 6.99.1 which will be
        considered our beta.  During the beta period, we will be fixing
        remaining issues.  In addition, we are asking for the community
        to submit any final patches or bug reports before the 1st of
        November.

        We expect to publish the first release candidate on or near the
        11th of November.


Why 7?

        We are adopting a new versioning scheme.

                o  Each feature release will have a new major number.

                o  The minor will be a patch level.  A value of 0 is
                   reserved for release candidates.  A value of 99 is
                   reserved for development.

                o  Stable releases will not have a micro number.

                o  Micro numbers will be incremented in release candidates
                   and development as needed.

        For example, the first release candidate will be 7.0.1.  The next
        7.0.2, then 7.0.3, etc.  When the final release candidate is
        deemed production quality, it will be renumbered as 7.1.
        All bug fixes will then be 7.2, 7.3, etc.

        New development for Heimdal 8 will be 7.99.1, 7.99.2, 7.99.3, etc.

        When the next feature release is issued its version number will
        start with 8.0.1 as the first release candidate and the first
        release will be 8.1.


What will be in 7?

        We have a lot of major improvements since our last official
        release, including:

                o  hcrypto is now thread safe on all platforms and
                   as much as possible hcrypto now uses the operating
                   system's preferred crypto implementation ensuring
                   that optimized hardware assisted implementations of
                   AES-NI are used.

                o  RFC 6113 Generalized Framework for Kerberos
                   Pre-Authentication (FAST).

                o  iprop has been revamped to fix a number of race
                   conditions that could lead to inconsistent replication.

                o  The KDC process now uses a multi-process model improving
                   resiliency and performance.

                o  AES Encryption with HMAC-SHA2 for Kerberos 5
                   draft-ietf-kitten-aes-cts-hmac-sha2-11


        For a more detailed list of changes please see:

                https://github.com/heimdal/heimdal/blob/master/NEWS

        which contains a bullet point summary of the major security,
        feature and bug fix changes that have been applied to the Heimdal
        source tree over the last four years since the release of 1.5.3.

        The list is currently not complete and we will be reviewing the
        git log to add features and bug fixes to the list before we make
        the final release.

        We expect that the ABI for libgssapi and libkrb5 will be unchanged
        from the prior release (1.5.3).  If any differences are discovered
        during the release process, we will then fix them if practical
        or document the differences in the release notes.

        And, again, we aren't quite finished.  Organizations and
        individuals wishing to submit changes to Heimdal for this
        release are encouraged to do so no later than 1 November 2016.


The release process:

        Each release candidate will be given two weeks for testing
        and usability feedback.  If a serious bug is uncovered during
        the review period then a new release candidate will be issued
        once the bug has been fixed.  If after two weeks from candidate
        release no new showstopping bugs are uncovered, then the release
        candidate will be declared final.

--
    Roland C. Dowdeswell
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Preparing for the Heimdal 7 Release

Russ Allbery-2
"Roland C. Dowdeswell" <[hidden email]> writes:

> A team consisting of staff from Two Sigma Open Source and AuriStor
> is starting the release process for Heimdal version 7.  We have
> changed the version of the master branch to 6.99.1 which will be
> considered our beta.  During the beta period, we will be fixing
> remaining issues.  In addition, we are asking for the community to
> submit any final patches or bug reports before the 1st of
> November.

> We expect to publish the first release candidate on or near the
> 11th of November.

That's great news!

There is some possibility that will be fast enough to allow reintroduction
of Heimdal into the next stable release of Debian, depending on how fast
the release candidate process converges in a stable release.  However,
it's going to have to be fairly quick, since the window for making it into
a stable release is rapidly closing.

November 5th is the start of stretch transition freeze, after which major
transitions have to be coordinated with the release team.  Reintroduction
of Heimdal will probably not qualify as a transition because Debian is
currently dropping Heimdal entirely from the distribution.

January 5th is the soft freeze, beyond which new packages cannot be
introduced into Debian stretch.  This is probably the last possible date
for Heimdal 7 making it into the next Debian stable release.  If there is
no stable release of Heimdal (with security support) by this point, and
more realistically several weeks prior to this for people to package it
(assuming the Heimdal packaging team in Debian is still willing to package
Heimdal), Debian stable will ship without Heimdal.

Note that I just removed the Heimdal PAM module from Debian unstable and
testing with an upload today.  I won't want to reintroduce this until
there is a stable and security-supported release of Heimdal packaged for
Debian.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Preparing for the Heimdal 7 Release

Jeffrey Hutzelman
On Wed, 2016-10-19 at 13:02 -0700, Russ Allbery wrote:
> January 5th is the soft freeze, beyond which new packages cannot be
> introduced into Debian stretch.  This is probably the last possible date
> for Heimdal 7 making it into the next Debian stable release.  If there is
> no stable release of Heimdal (with security support) by this point, and
> more realistically several weeks prior to this for people to package it
> (assuming the Heimdal packaging team in Debian is still willing to package
> Heimdal), Debian stable will ship without Heimdal.

I'd really like to avoid that happening.  Last I checked, Heimdal was
being maintained in Debian by Brian May.  If he's no longer interested
in doing so, and assuming we can get a stable release in a timely
fashion, I can probably scare up some cycles to get the packaging in
shape.  Someone else will have to do the uploads, though...

-- Jeff
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Preparing for the Heimdal 7 Release

Quanah Gibson-Mount-2
In reply to this post by Roland C. Dowdeswell-2
--On Wednesday, October 19, 2016 4:52 PM -0400 "Roland C. Dowdeswell"
<[hidden email]> wrote:

> And, again, we aren't quite finished.  Organizations and
> individuals wishing to submit changes to Heimdal for this
> release are encouraged to do so no later than 1 November 2016.

I raised this ticket at the end of March.  While I don't have any patches
for it, I am hoping someone does, or has the time to take care of it.
Without this being fixed, Heimdal is incompatible with the default Kerbeors
setups on RHEL out of the box:

<https://github.com/heimdal/heimdal/issues/166>

Thanks,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Preparing for the Heimdal 7 Release

Jelmer Vernooij-2
In reply to this post by Russ Allbery-2
On Wed, Oct 19, 2016 at 01:02:43PM -0700, Russ Allbery wrote:

> "Roland C. Dowdeswell" <[hidden email]> writes:
>
> > A team consisting of staff from Two Sigma Open Source and AuriStor
> > is starting the release process for Heimdal version 7.  We have
> > changed the version of the master branch to 6.99.1 which will be
> > considered our beta.  During the beta period, we will be fixing
> > remaining issues.  In addition, we are asking for the community to
> > submit any final patches or bug reports before the 1st of
> > November.
>
> > We expect to publish the first release candidate on or near the
> > 11th of November.
>
> That's great news!
>
> There is some possibility that will be fast enough to allow reintroduction
> of Heimdal into the next stable release of Debian, depending on how fast
> the release candidate process converges in a stable release.  However,
> it's going to have to be fairly quick, since the window for making it into
> a stable release is rapidly closing.
>
> November 5th is the start of stretch transition freeze, after which major
> transitions have to be coordinated with the release team.  Reintroduction
> of Heimdal will probably not qualify as a transition because Debian is
> currently dropping Heimdal entirely from the distribution.
That's indeed awesome news!

However, like Russ says, the timing isn't great.  We've been asking
for a release for years. If this had happened earlier, that would have
saved a lot of unnecessary work on the Debian side. :-(

We've fortunately got a little bit more leeway now that the freeze was
deferred by two months to allow Linux 4.10 to be included.

The full stretch life cycle is documented at
https://wiki.debian.org/DebianStretch

Brian May and I are the current uploaders for Heimdal in Debian.
Because of the lack of releases, I've been coordinating the removal
from stretch (the next Debian release) the last couple of months.

So far the main thing that's happened is that packages that can build
against either Heimdal or MIT and previously built against Heimdal
have switched over to building against MIT.

Heimdal itself is currently still in stretch, but two packages that
build against *both* MIT and Heimdal - libpam (maintained
by Russ) and libpam-krb5-migrate (maintained by myself) - have dropped
support for Heimdal. Requests are open against OpenLDAP and
cyrus-sasl2 to drop Heimdal support.

If we want to have the option of keeping Heimdal iff a release
happens before mid-December, we need to coordinate with the Debian
release team. As a transition, it should be a lot less daunting now
that most dependencies have been removed. Between Russ and
myself, we can upload all packages that depend on Heimdal.

Cheers,

Jelmer

signature.asc (465 bytes) Download Attachment
Loading...