Comment 21 for bug 1643708

>>>>> "Robie" == Robie Basak <email address hidden> writes:

    Robie> @Bruce Thank you for detailing your testing. In your test
    Robie> suite, do you cover any interoperability with SPNEGO but
    Robie> not-Windows, whether in integration or code path coverage?
    Robie> That's the use case I'm concerned about - that someone will
    Robie> come along and tell us that we regressed SPNEGO against
    Robie> WebSphere or something because we focused on just testing
    Robie> Windows.

Hi.
As I understand it, this is a backport of an upstream change.
It's always possible there is an interop regression.
In this instance though, given where the patch comes from originally,
and that it's been in upstream releases for a while, I think you're
relatively safe.
SPNEGO interop is really hard to test though; it's not something that
you can get good coverage for without a specific interoperability lab
and careful test plans.

I don't know if upstream has done that for this patch, although I do
have high confidence that people do interop tests against the upstream
version.

So, while I think your concern is reasonable, I'd urge you to consider
that you're setting a really high bar here for backporting a patch that
an interoperability-conscious upstream has vetted.
Yes, the MIT folks have messed up interop (just as everyone else), but
they are fairly careful and conservative.

If you do want to do interop testing, the interesting cases to cover
are:

* Initiator prefers Kerberos; other side does not support it

* Acceptor prefers Kerberos, initiator does not support it

* Initiator prefers NTLM and some non-Kerberos third mechanism

* Acceptor prefers NTLM, doesn't have Kerberos, but does have some third
  mechanism

I think setting all that up is a good week's worth of work with someone
who really knows what they are doing.

--Sam