[Pkg-openldap-devel] OpenLDAP packaging going forward

Wed May 23 20:23:25 UTC 2007

Hi,

The current version of gnutls in Debian is:
Version: 1.7.7-1

At this point 1.7.9 is the latest version upstream as far as I can see. 
I don't know if 1.7.9 already is a stable release but ok. Is there not a 
possibility to start with 2.4 instead of pushing 2.3.35 in ?

Hmm.. 2.4 is in alpha status. Then it's probably better to put it in 
experimental. I hope we can

Russ Allbery wrote:
> Well, it looks like I'm not going to have as much time to work on OpenLDAP
> packaging as I was hoping, and it looks like Stanford will probably want
> to maintain our own packages internally at least through the 2.4 release,
> but I'm still hoping that Debian will be able to benefit from some of that
> work.
> 
> The first step is to update the current tree in Subversion to 2.3.35, plus
> a few fixes, which should bring us back up to date with upstream.  We're
> going to try to base our internal packages on the Debian packaging and
> feed any fixes back that are general, so hopefully that will keep the
> Debian packages in better shape.  We're going to be starting that work
> soon.
> 
> As the first step in that process, I started reviewing the current patches
> in the Debian package with an eye for whether they should be kept as
> Debian-specific patches, fed upstream, or dropped.  Here's the results of
> an initial look:
> 
> connection-race
> fix-memleak-acls-uses-sets
> fix-memleak-on-failed-bind
> kbind-security-fix
> 
>     I believe these are already included in the 2.3.35 package and can be
>     dropped from the repository once we upgrade.
> 
Are already in upstream release yes.

> adminguide-docfixes
> 
>     Should be checked against the current upstream to see if it's still
>     relevant and either submitted upstream or dropped.
> 
> disable-epoll-system-call
> 
>     Allowed an OpenLDAP package built on a 2.6 kernel to run on 2.4.
>     Since Debian has now dropped support for 2.4 kernels, I think we can
>     drop this patch.
> 
This patch can be dropped yes.

> add-autogen-sh
> use-lpthreads
> 
>     The -lpthreads patch should be discussed upstream to see if we can
>     make this not a Debian-specific patch.  We added it because mipsel
>     didn't like -pthreads (is this still the case?).  Upstream may be
>     preferring -pthreads over -lpthreads for other reasons.  I'd really
>     rather not carry this around, since it's the only reason why we're
>     running Autoconf and friends at build time.  If we could get rid of
>     it, we could drop add-autogen-sh.
> 
Would be nice.

> ntlm-ldap_h-hack
> ntlm_c
> 
>     Upstream dropped this code long ago.  Can we just do the same thing?
>     I don't think it makes a lot of sense for Debian to try to maintain it
>     separately.
> 
I don't know, but probably Steve can comment on this ?

> libldap-makefile_in
> 
>     Part of this is the NTLM stuff.  The rest is linking the libraries
>     with the pthread library, which should be fed upstream.
> 
Same as above.

> index-files-created-as-root
> 
>     This is Debian-specific in its current form, since it always warns if
>     slapindex is running as root.  Ideally, this would figure out if slapd
>     is running as a non-root user and then only warn if that's the case
>     and slapindex is running as a different user.  For right now, we
>     should carry this patch as-is but suggest upstream the better fix.
> 
It's probably better that it changes it's privileges before starting the 
indexing process.

> read-config-before-dropping-privileges
> 
>     I'm not sure the history of this patch, but my guess is that the
>     config file may contain private information and this makes the
>     permissions easier to handle?  The changelog is not informative.
>     Should be fed upstream if it's really useful.
> 
When openldap is run with less privileges and the slapd.conf file is 
0600 (root:root) then it's impossible for slapd to read its config. 
That's why this patch is introduced, I think it's also useful for upstream.

> sasl-default-path
> 
>     Should be fed upstream, as this looks generally useful.
> 
That's right.

> fixmanpages
> 
>     Fixes a bug in the .TH line of slapo-retcode.5.  Should be fed
>     upstream.
> 
Also right.

> ldapi-socket-place
> man-slapd
> man-slurpd
> slapi-errorlog-file
> slurpd-in-spool
> wrong-database-location
> 
>     These are all path fixes specific to Debian.
> 
> 
> Following what I've done with other packages, I'm going to start
> annotating these patches with bug numbers (Debian and upstream) where
> available and renaming the ones that are Debian-specific and not suitable
> for feeding upstream to start with debian-.  (I assume no one has
> objections to that.)  However, I'll start by updating to 2.3.35.
> 

Fine with me.

Thanks.

Regards,

Matthijs Mohlmann