Comment 1 Matthias Fechner 2022-02-25 12:57:06 UTC

Thanks, I will look into it, after version 14.8 is released to ports.

Comment 2 Vladimir Druzenko 2022-03-09 11:26:47 UTC

(In reply to Matthias Fechner from comment #1)
14.8 is in ports - have you forgotten about this change?

Comment 3 Matthias Fechner 2022-03-10 16:52:05 UTC

No I have not forgotten it.
I focused on get the last version out, as the was a CVE linked with extrem high score.

I will testbuild it and will commit it in some minutes.

If it breaks with future versions, please commit a PR with a patch, I will commit the fix then accordingly.

Thanks.

Comment 4 commit-hook 2022-03-10 16:56:08 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ccc9d98b47ff35cda47a10094e7777d962c48108

commit ccc9d98b47ff35cda47a10094e7777d962c48108
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-03-10 16:47:12 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2022-03-10 16:47:12 +0000

    www/gitlab-ce: add option to remove kerberos dep

    I understand that this option can be helpful, but I do not suggest to use it.
    If it breaks due to new version and the patch does not apply anymore,
    please send a PR then I will update this feature accordingly.

    But I will not testbuild gitlab with many option combinations.
    PR:             262191

 www/gitlab-ce/Makefile                                     | 10 ++++++++--
 www/gitlab-ce/files/extra-patch-Gemfile-kerberos-off (new) | 11 +++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

Comment 5 Matthias Fechner 2022-03-10 17:01:13 UTC

Fixed, thanks for taking care of this feature.

Comment 6 Vladimir Druzenko 2022-03-10 17:34:37 UTC

Thanks!

Hi everybody,

in order to be able to install Gitlab CE 15.9.4 without Kerberos, I had to update `files/extra-patch-Gemfile-kerberos-off` to:
 
```
+++ Gemfile     2023-04-04 09:18:50.624315000 +0200
@@ -82,7 +82,7 @@

 # Kerberos authentication. EE-only
 gem 'gssapi', '~> 1.3.1', group: :kerberos
-gem 'timfel-krb5-auth', '~> 0.8', group: :kerberos
+#gem 'timfel-krb5-auth', '~> 0.8', group: :kerberos

 # Spam and anti-bot protection
 gem 'recaptcha', '~> 5.12', require: 'recaptcha/rails'
```

Incidentally, I never know what to choose between `heimdal` and `krb5`, all advice welcome :)

Best regards,

Laurent.

Comment 8 Vladimir Druzenko 2023-04-04 11:49:16 UTC

(In reply to Laurent Daverio from comment #7)
I made the same patch yesterday too.

But I found that devel/gitlab-shell have: BUILD_DEPENDS= heimdal>=0:security/heimdal.

Created 2 patches:
# cat /usr/ports/devel/gitlab-shell/files/patch-go.mod 
--- go.mod.orig
+++ go.mod
@@ -9,7 +9,6 @@
        github.com/hashicorp/go-retryablehttp v0.7.1
        github.com/mattn/go-shellwords v1.0.11
        github.com/mikesmitty/edkey v0.0.0-20170222072505-3356ea4e686a
-       github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b
        github.com/otiai10/copy v1.4.2
        github.com/pires/go-proxyproto v0.6.2
        github.com/prometheus/client_golang v1.13.1
# cat /usr/ports/devel/gitlab-shell/files/patch-go.sum 
--- go.sum.orig
+++ go.sum
@@ -277,8 +277,6 @@
 github.com/onsi/ginkgo v1.10.3 h1:OoxbjfXVZyod1fmWYhI7SEyaD8B00ynP3T+D5GiyHOY=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1 h1:K0jcRCwNQM3vFGh1ppMtDh/+7ApJrjldlX8fA0jDTLQ=
-github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b h1:it0YPE/evO6/m8t8wxis9KFI2F/aleOKsI6d9uz0cEk=
-github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b/go.mod h1:tNrEB5k8SI+g5kOlsCmL2ELASfpqEofI0+FLBgBdN08=
 github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=

But it regenerate both files during build stage after configure.
But I found hack: if apply this patches after build fails and run make again - it build and install fine.

I'm not familiar with go, but I think core of this issue is in internal/sshd/gssapi.go or/and in internal/config/config.go.

P.S. I think better to create separate PR for this issue.

Comment 9 Vladimir Druzenko 2023-05-04 16:43:22 UTC

(In reply to Laurent Daverio from comment #7)
Can you create separate PR with your patch attached as "patch"?

(In reply to Vladimir Druzenko from comment #9)
Hi Vladimir,

on second thoughts, I wasn't so sure that patching the Gemfile would be a good idea, as it may change a lot between releases, and the patchfile would have to be checked and/or edited frequently :/

My current hack involves:

1/ Typing "make" and waiting for the build to fail

2/ Edit the Makefile to remove the line:

   KERBEROS_EXTRA_PATCHES_OFF=	${FILESDIR}/extra-patch-Gemfile-kerberos-off

   (I search for the first occurrence of "extra" in the file)

3/ Open file work/gitlab-foss-*/Gemfile, and remove the line containing "timfel"

So, what I'm basically doing is patching the Gemfile manually

4/ Run "make" again to complete build

Comment 11 Vladimir Druzenko 2023-05-11 09:53:26 UTC

(In reply to Laurent Daverio from comment #10)
Commited:
https://cgit.freebsd.org/ports/commit/?id=e873d898b941e784a62a0aa64fc8c11fd709c634