Andrei Borzenkov wrote:
08.12.2015 23:58, Michael Ströder пишет:
I'm trying to upgrade the Kerberos packages to 1.14 which contains lots of major changes. Therefore I wonder whether the failing krb5-kvno-230379.patch [1] is still needed.
In the patch file the following ticket is referenced:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349
The ticket was created back in 2006 and it mentions upgrade issues from W2K to W2K3. Since even W2K3 will be out-of-service pretty soon I'm inclined to simply drop this patch.
Any thoughts on this?
[1] https://build.opensuse.org/package/view_file/network/krb5/krb5-kvno-230379.p...
This patch allows keytab entries that match any KVNO; removing this patch will break setup for anyone relying on it.
It looks like only remotely related to bug report itself - as bug report states "we have keytabs with KVNO == 1 and cannot rewrite them", so adding ability to use keytab with KVNO == 0 hardly helps here. Of course it does allow preparing for unknown KVNO in advance, but it could also be used unintentionally.
I'm rather reluctant to keep such a local patch in crypto software. Especially the question is: If there's a valid use-case why wasn't that added to upstream source code? Ciao, Michael.