There have been lots of missing CONFLICTS_INSTALL entries, either
because conflicting ports were added without updating existing ports,
due to name changes of generated packages, due to mis-understanding
the format and semantics of the conflicts entries, or just due to
typoes in package names.
This patch is the result of a comparison of all files contained in
the official packages with each other. This comparison was based on
packages built with default options and may therefore have missed
further conflicts with optionally installed files.
Where possible, version numbers in conflicts entries have been
generalized, some times taking advantage of the fact that a port
cannot conflict with itself (due to logic in bsd.port.mk that
supresses the pattern match result in that case).
A few ports that set the conflicts variables depending on complex
conditions (e.g. port options), have been left unmodified, despite
probably containing outdated package names.
These changes should only affect the installation of locally built
ports, not the package building with poudriere. They should give an
early indication of the install conflict in cases where currently
the pkg command aborts an installation when it detects that an
existing file would be overwritten,
Approved by: portmgr (implicit)
The conflict checks compare the patterns first against the package
names without version (as reported by "pkg query "%n"), then - if
there was no match - agsinst the full package names including the
version (as reported by "pkg query "%n-%v").
Many CONFLICTS definitions used patterns like "bash-[0-9]*" to filter
for the bash package in any version. But that pattern is functionally
identical with just "bash".
Approved by: portmgr (blanket)
security/krb5-devel fails to build on FreeBSD-11 due to:
main.c:1593:5: error: implicit declaration of function 'OPENSSL_clear_free'
is invalid in C99 [-Werror,-Wimplicit-function-declaration]
OPENSSL_clear_free(buffer, buffer_len);
This commit captures KRB5-1.19-beta2. The beta2 announcement on
krbdev is as follows:
MIT krb5-1.19-beta2 is now available for download from
https://web.mit.edu/kerberos/dist/testing.html
The main MIT Kerberos web page is
https://web.mit.edu/kerberos/
Please send comments to the krbdev list. We plan for the final
release to occur in about one month. The README file contains a more
extensive list of changes.
Major changes in 1.19
---------------------
Administrator experience:
* When a client keytab is present, the GSSAPI krb5 mech will refresh
credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience:
* gss_acquire_cred_from() now supports the "password" and "verify"
options, allowing credentials to be acquired via password and
verified using a keytab key.
* When an application accepts a GSS security context, the new
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self
requests to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set
in issued tickets.
* The krb5_init_creds_step() API will now issue the same password
expiration warnings as krb5_get_init_creds_password().
Protocol evolution:
* Added client and KDC support for Microsoft's Resource-Based
Constrained Delegation, which allows cross-realm S4U2Proxy requests.
A third-party database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin
connections, and the host-based form is no longer created by
default. The client will still try the host-based form as a
fallback.
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
extension, which causes channel bindings to be required for the
initiator if the acceptor provided them. The client will send this
option if the client_aware_gss_bindings profile option is set.
User experience:
* kinit will now issue a warning if the des3-cbc-sha1 encryption type
is used in the reply. This encryption type will be deprecated and
removed in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only
(inspired by Heimdal's kgetcred).
This commit captures KRB5-1.19-beta. The beta announcement on
krbdev is as follows:
MIT krb5-1.19-beta1 is now available for download from
https://web.mit.edu/kerberos/dist/testing.html
The main MIT Kerberos web page is
https://web.mit.edu/kerberos/
Please send comments to the krbdev list. We plan for the final
release to occur in about one month. The README file contains a more
extensive list of changes.
Major changes in 1.19
---------------------
Administrator experience:
* When a client keytab is present, the GSSAPI krb5 mech will refresh
credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience:
* gss_acquire_cred_from() now supports the "password" and "verify"
options, allowing credentials to be acquired via password and
verified using a keytab key.
* When an application accepts a GSS security context, the new
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self
requests to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set
in issued tickets.
* The krb5_init_creds_step() API will now issue the same password
expiration warnings as krb5_get_init_creds_password().
Protocol evolution:
* Added client and KDC support for Microsoft's Resource-Based
Constrained Delegation, which allows cross-realm S4U2Proxy requests.
A third-party database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin
connections, and the host-based form is no longer created by
default. The client will still try the host-based form as a
fallback.
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
extension, which causes channel bindings to be required for the
initiator if the acceptor provided them. The client will send this
option if the client_aware_gss_bindings profile option is set.
User experience:
* The default setting of dns_canonicalize_realm is now "fallback".
Hostnames provided from applications will be tried in principal
names as given (possibly with shortname qualification), falling back
to the canonicalized name.
* kinit will now issue a warning if the des3-cbc-sha1 encryption type
is used in the reply. This encryption type will be deprecated and
removed in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only
(inspired by Heimdal's kgetcred).
