Split Heimdal?

rhys_rhaven · 2008-11-20 05:27:40

I find it odd that a package marked "Kerberos Libraries" is actually a full kerberos implementation. /bin, /sbin, init scripts to run a KDC. Following more a debian way of packaging, and in this case I think the right way, shouldn't Heimdal be split into heimdal-lib and the rest of it? Such overkill to install of kerberos just for SSH libraries.

AndyRTR · 2008-11-20 05:35:51

file a feature request

JGC · 2008-11-20 11:46:03

Why? The biggest part of heimdal is manpages for API, includefiles and some libs. The KDC binaries are only a small piece of the whole thing. Splitting them up just because you don't want some binaries on your system will complicate things.
It's not our policy to split things. If we take this extreme we could split the includefiles from the libs also because people who use SSH don't need heimdal includefiles for example...

rhys_rhaven · 2008-11-21 04:29:52

I understand that idea, but I don't like the idea of having the kerberos binaries on my system for no particular reason. I will note a vague feeling of security, in that the reason you don't put GCC on production servers. If you don't need something like that on your system, it shouldn't be there to be run and then possibly exploited.

Please forgive me if I sound like a BSD user. I just think there's a reason extra binaries are not included on secure systems.

Last edited by rhys_rhaven (2008-11-21 04:31:14)

sand_man · 2008-11-21 05:41:14

Hey guys, doesn't he sounds like a BSD user? lol j/k

Seriously, I see where you are coming from about having "useless" binaries on the system but at the same time where do you draw the line?
Arch has it's own features which differ to other distros like Debian that split packages. Arch needs to be consistent with it's ideals.

phrakture · 2008-11-21 06:11:33

Keep a list of "useless" binaries somewhere. Run a cron job that does "rm -rf $(cat /my/useless/files.list)"

Simplest solution. Occam's Razor and all

JGC · 2008-11-21 07:51:54

Well, you're not sounding like a BSD user, as both OpenBSD and FreeBSD have Heimdal kerberos integrated in the base system, including all binaries for the servers that are in our package. If this was a real security risk, OpenBSD wouldn't have included it.

miko · 2008-11-21 09:35:18

rhys_rhaven wrote:

I find it odd that a package marked "Kerberos Libraries" is actually a full kerberos implementation. /bin, /sbin, init scripts to run a KDC. Following more a debian way of packaging, and in this case I think the right way, shouldn't Heimdal be split into heimdal-lib and the rest of it? Such overkill to install of kerberos just for SSH libraries.

I would also like archlinux to have split packages, but for other reason: when I try to build embedded/LiveCD linux (or for underpowered PC) l would like to get/compile/install as little as possible. I like the PLD distro in this regard. But I also know that this is a lot of work for distro maintainers, and so is not an Arch way.

Back to your solution. I suggest you can make a custom heimdal with PKGBUILD like this (untested):
pkgname=myheimdal
provides=(heimdal)
replaces=(heimdal)
build() {
...
make install
rm -rf $pkgdir/unnecessary/dirs/and/files
}

rhys_rhaven · 2008-11-21 18:36:01

I will relent to JGC then. If OpenBSD included it, my feeling of unease goes away. Paranoid madmen make the best meticulous security.

Arch Linux

#1 2008-11-20 05:27:40

Split Heimdal?

#2 2008-11-20 05:35:51

Re: Split Heimdal?

#3 2008-11-20 11:46:03

Re: Split Heimdal?

#4 2008-11-21 04:29:52

Re: Split Heimdal?

#5 2008-11-21 05:41:14

Re: Split Heimdal?

#6 2008-11-21 06:11:33

Re: Split Heimdal?

#7 2008-11-21 07:51:54

Re: Split Heimdal?

#8 2008-11-21 09:35:18

Re: Split Heimdal?

#9 2008-11-21 18:36:01

Re: Split Heimdal?

Board footer