Russ Allbery [Sun, 26 Aug 2018 20:22:48 +0000 (13:22 -0700)]
Update to standards version 4.2.1
* Update standards version to 4.2.1.
- Enable verbose test output.
- Install the upstream release notes as NEWS.gz, not changelog.gz.
- Add Rules-Requires-Root: no.
- Use https for URLs in debian/control and debian/copyright.
Russ Allbery [Sat, 26 Dec 2015 00:45:40 +0000 (16:45 -0800)]
Clean up license notices and regenerate LICENSE
Use the Debian copyright-format 1.0 format for LICENSE. Fix up the
files that had unparseable license notices or ones with typos, and
add license notices to a few files that didn't have them.
Russ Allbery [Sat, 26 Dec 2015 00:18:14 +0000 (16:18 -0800)]
Remove strlcpy, strlcat, and strndup
These are no longer used by the utility library, so we don't have
to provide replacements for them. Also clean up a remaining build
rule for the concat test suite.
Russ Allbery [Sat, 26 Dec 2015 00:11:42 +0000 (16:11 -0800)]
Update to rra-c-util 5.9 and C TAP Harness 3.4
Update to rra-c-util 5.9:
* Add missing va_end to xasprintf implementation.
* Improve portability to Kerberos included in Solaris 10.
* Use appropriate warning flags with Clang (currently not warning clean).
* Use Lancaster Consensus environment variables to control tests.
* Use calloc or reallocarray for protection against integer overflows.
* Suppress warnings from Kerberos headers in non-system paths.
* Assume calloc initializes pointers to NULL.
* Assume free(NULL) is properly ignored.
* Improve error handling in xasprintf and xvasprintf.
* Check the return status of snprintf and vsnprintf properly.
* Preserve errno if snprintf fails in vasprintf replacement.
* Fix probing for Heimdal's libroken to work with older versions.
* Improve POD tests.
* Fix kafs compilation failure on Solaris 11 or later.
* Drop concat from the util library in favor of asprintf.
* Fail on any error in [bx]asprintf and [bx]vasprintf.
* Pass --deps to krb5-config in the non-reduced-dependencies case.
* Silence __attribute__ warnings on more compilers.
Update to C TAP Harness 3.4:
* Fix segfault in runtests with an empty test list.
* Display verbose test results with -v or C_TAP_VERBOSE.
* Support comments and blank lines in test lists.
* Check for integer overflow on memory allocations.
* Reopen standard input to /dev/null when running a test list.
* Don't leak extraneous file descriptors to tests.
* Suppress lazy plans and test summaries if the test failed with bail.
* runtests now treats the command line as a list of tests by default.
* The full test executable path can now be passed to runtests -o.
* Improved harness output for tests with lazy plans.
* Improved harness output to a terminal for some abort cases.
* Flush harness output after each test even when not on a terminal.
* Only use feature-test macros when requested or built with gcc -ansi.
* Drop is_double from the C TAP library to avoid requiring -lm.
* Avoid using local in the shell libtap.sh library.
* Silence __attribute__ warnings on more compilers.
* runtests now frees all allocated resources on exit.
Russ Allbery [Fri, 25 Dec 2015 22:46:00 +0000 (14:46 -0800)]
Retry initial authentication until it succeeds
For both k5start with a command or -K and no -x flag, and krenew with
the -i flag, repeatedly retry the initial authentication. The first
retry will be immediate, and then the commands will keep trying with
exponential backoff to one minute intervals, and then continuously at
one minute intervals until the command is killed or authentication
succeeds. k5start and krenew will no longer start any other command
until the initial authentication succeeds, fixing startup behavior
when running a command that must have valid Kerberos tickets
immediately on start. Based on a patch by Lars Hanke.
Add the -a option to k5start and krenew, which says to always try
to renew our tickets (and tokens, if -t) every time we wake up,
regardless of how much time is left on the tickets. This is useful if
you want to ensure that a certain amount of lifetime always exists
on the tickets, or if you want to ensure aklog gets run, even if
something else is keeping our tickets fresh.
Update standards version to 3.9.5 (copyright, Vcs-Git)
* Update standards version to 3.9.5.
- Convert debian/copyright to copyright-format 1.0.
- Specify the Debian packaging branch in the Vcs-Git control field.
Russ Allbery [Wed, 8 Jan 2014 00:23:44 +0000 (16:23 -0800)]
Make daemon test suite more robust
Extend delays, since authentication can take a while on a remote,
loaded network. Use better strategies for waiting for activity
than simple numeric delays. Fix the test count in k5start/daemon.
Russ Allbery [Wed, 8 Jan 2014 00:21:33 +0000 (16:21 -0800)]
Skip keyring tests if the resulting tickets disappear
MIT Kerberos doesn't cope well with UID session keyrings. It can
get tickets, but then the tickets disappear. Check for that and
skip the keyring tests if we're running into that problem.
k5start -K no longer exits if initial authentication fails
k5start, when run with the -K option to run as a daemon, no longer
exits if the initial authentication fails. Instead, it reports the
error to standard error and then continues to run, attempting
authentication every minute as if authentication had failed after it
had started. Patch from Rasmus Borup Hansen.
Shorten the wake-up period if there was an initial failure
If -i is given to krenew and the initial ticket renewal failed, start
with the shorter wake-up interval of one minute just as if a
subsequent renewal failed.
Russ Allbery [Sun, 5 Feb 2012 01:42:44 +0000 (17:42 -0800)]
Make the single-debian-patch and patch-header options local
* Move single-debian-patch to local-options and patch-header to
local-patch-header so that they only apply to the packages I build and
NMUs get regular version-numbered patches.
- The .spec file refers to version 3.16.
- SLED doesn't have krb5-libs; both SLED and RHEL seem fine with
Requires: krb5'.
- The %defattr lines cause some directory permissions problems.
Russ Allbery [Sun, 8 Jan 2012 03:49:59 +0000 (19:49 -0800)]
Shorten the wakeup interval on errors
When k5start or krenew are running as a daemon and obtaining new
tickets fails, both now shorten the wakeup interval to one minute and
keep trying at that interval until the error resolves itself, and then
go back to the normal wakeup interval.
Russ Allbery [Sun, 8 Jan 2012 02:37:26 +0000 (18:37 -0800)]
Add krenew -s option to SIGHUP the command on exit
Add a new -s option to krenew that, if given, tells krenew to send
SIGHUP to the command it's running when it exits because it can't
renew the ticket. This is useful when continuing to run the command
without a valid ticket would be pointless.
Russ Allbery [Sun, 8 Jan 2012 01:05:24 +0000 (17:05 -0800)]
Fix k5start -H with a cache for the wrong principal
Fix a regression introduced in kstart 4.0 where k5start -H would be
happy with an unexpired ticket for a different principal than the
desired client principal.
Russ Allbery [Thu, 5 Jan 2012 21:29:41 +0000 (13:29 -0800)]
Fix k5start -H and krenew -H with non-renewable tickets
Fix a regression introduced in kstart 4.0 that caused k5start -H and
krenew -H to fail and attempt reauthentication with non-renewable
tickets even if the lifetime was long enough. Thanks to pod for the
report.