libkdb-ldap and ABI stability

Russ Allbery rra at
Tue May 6 00:10:45 EDT 2008

When I packaged the LDAP KDC plugin for Debian, I immediately got a bug
report that I shouldn't have packaged libkdb-ldap1 as a public shared
library because it's not really one and the ABI isn't stable.  Apparently
the current svn trunk has changed the exported functions without changing

On one hand, it would make sense to package that library into a private
directory rather than /usr/lib, such as /usr/lib/krb5, and use RPATH for
the plugin and the admin utility to find it, since it's not really a
public library and there are no header files.  In that case, I'd just
include it in the same package as the LDAP plugin instead of putting it in
a separate package as Debian requires for public shared libraries.

On the other hand, that's a lot of hacking on MIT Kerberos's build system
and special modifications I'd need to maintain for Debian, and your build
system just installs it in the regular public library directory.

So... what are the plans for this library?  Can I safely package it as a
regular shared library and rest assured that the SONAME will change with
any future backward-incompatible change to the interface, such as what's
apparently currently in Subversion?  Will it ever have a public header?
Or would it be better to install it into /usr/lib/krb5 and use RPATH to
find it (and if so, is that a patch you'd take back)?

Russ Allbery (rra at             <>

More information about the krbdev mailing list