broken compatability between 1.3.5 and 1.4.1

Tim Mooney mooney at
Wed Oct 5 15:12:35 EDT 2005

In regard to: Re: broken compatability between 1.3.5 and 1.4.1, Sam Hartman...:

> we committed to an ABI for Unix, Mac and windows around 1.2.5.
> If you have an application using only symbols from that ABI (symbols
> defined in our header files without KRB5_PRIVATE defined) we would
> consider it a serious bug if such an application failed to link
> against 1.4.1 libraries when built against 1.3.5 libraries.

Older versions of Simon's patch for GSSAPI support in OpenSSH (in
the OpenSSH 3.5p1 timeframe, which was newer than 1.2.5) and the
perl5 module Authen-Krb5 (even version 1.4, which is recent) both call

It's this call that caused problems when I upgraded the krb5 shared
libraries from 1.2.8 to 1.4.x.  Of course you're correct that applications
shouldn't be using that (or any other KRB5_PRIVATE symbol) today, but some
still are.

Moreover, consider the situation where I build packages like Authen-Krb5
against krb5 1.2.4 (or some earlier version), where krb5_init_ets() was not
marked private, and was visible in the shared library.

Now I upgrade the shared libraries and headers to version 1.2.8.  What's
marked as private in the headers has changed, but the symbols in the library
are still visible, and the library advertises the same ABI.

Now I upgrade to 1.3.x or 1.4.x.  Oops.  The library says it's still the
same ABI as way back in the 1.2.x days, but suddenly lots of symbols
aren't resolvable by the runtime loader.

It's too late to really do anything about this for krb5_init_ets() and
friends, but in the future please at least consider whether an ABI bump
might be wise if you remove additional symbols from the shared libraries
(even if they're only symbols that people shouldn't be using).  I
understand that ABI bumps are a pain for system integrators and packagers,
and gratuitous bumps are to be avoided.  A library that says its
compatible with 1.2.4 but really isn't compatible is a pain, too, though.

Tim Mooney                              mooney at
Information Technology Services         (701) 231-1076 (Voice)
Room 242-J6, IACC Building              (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

More information about the krbdev mailing list