Re: Uploading openssh NMU for SELinux updates as per release policy
On 27 Oct 2006 13:26:53 +0100, Matthew Vernon <email@example.com> said:
> Manoj Srivastava <firstname.lastname@example.org> writes:
>> Three days ago, I sent in a patch in Bug#394795 which updated
>> SELinux patches to bring 'em in line with currently released
>> SELinux code in Debian. I updated that patch , and the binaries
> I know nothing about SELinux, so can't really comment on the
> patch. In general, however, we encourage people wanting to patch
> openssh to talk to upstream first: Trying to maintain substantial
> patch-sets between openssh relseases just causes pain, particularly
> if the feature involved is later implemented in upstream openssh,
> with differing config options &c. Furthermore, if upstream don't
> like a patch, we are naturally reluctant to deploy it ourselves.
That is an admirable policy, especially when applied to new
features. However, openssh already has SELinux -- but there is a wee
bit of bit-rot setting in. SELinux has changed; the SELinux
infrastructure shipping in Etch is different fro the one that the
patches are based on. It would be a bug if the features of SELinux
were degraded (MLS levels being set to the default, low capability
ones) if one used ssh to log in as opposed to directly logging in.
So, since this is just bringing bits of openssh in line with
the version of SELinux we ship, I think it would be a bug _not_ to
update the SELinux code in openssh.
> Have the bits of this patch that aren't Debian-specific been even
> shown to upstream? If not, please don't go slamming them willy-nilly
> into Debian's openssh.
This change brings us in line with the fedora amd gentoo
SELinux patches. so it might help getting it upstream,
If puns were deli meat, this would be the wurst.
Manoj Srivastava <email@example.com> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C