Shibboleth2 packaging

Russ Allbery rra at
Fri May 9 01:37:01 UTC 2008

"Scott Cantor" <cantor.2 at> writes:

> To answer some of your questions:
> I seriously doubt there is any way to package both SP versions at once.
> Everything from opensaml up is specific to each version and there is no
> compatibility, as I think you realized.
> While you can certainly install both library sets, you CANNOT install both
> SPs anyway, so there's no basis for supporting both libraries at this point.
> OpenSAML never attracted any serious non-Shib use, intentionally, so there's
> no compelling reason to maintain 1.x as a library if you ship the 2.0 SP.

I'm not sure that it makes sense to provide *only* 2.0 in Debian lenny (if
we can even get 2.0 into the archive by the freeze), when a lot of sites
are still running 1.3, although that does mean 1.3 would be around for
possibly longer than it should be.  But maybe I'm too conservative.

We can package both at the same time and just have them conflict with each
other; that's not horribly uncommon in Debian.  It's not really ideal, but
it has its advantages for sites that aren't ready to jump to 2.0 yet.  I'm
not really sure what to think there.

Partly that's because I don't have practical experience with the upgrade
yet, which I'll get this summer, so maybe it's not as big of a deal as I

> I made a conscious choice NOT to rename the opensaml package to
> opensaml2.  If I had, it would have facilitated side by side installs of
> the headers. I did not want that to be a simple thing for people to do
> because I don't want to support that code long term, so I made it harder
> for that to happen.

Okay, good to know.

> The schemas are absolutely required by Shibboleth. They're mandatory for
> 1.3 which validates everything. 2.0 is less strict, but they're still
> needed.

Huh.  I could have sworn that I tested this explicitly and everything
worked fine without the schemas involved, but clearly I missed something.
Anyway, this will definitely be fixed in the next upload; I just moved the
Recommends to a straight Depends and that will be in the next upload.

> There is no reason to package the -lite libraries separately as they
> will NEVER be versioned separately from the non-lite version of the same
> library.  The libtool version will change for both when it does
> change. There are only a few library pairs, and only two are versioned
> (xmltooling and shibsp).

Perfect; we'll just do one package then.

BTW, there are currently two packages for the Shibboleth SP libraries for
1.3 since libshib and libshib-target had different SONAMEs and I wasn't
sure if that would indicate that they might change versions independently.

Russ Allbery (rra at               <>

More information about the Pkg-shibboleth-devel mailing list