Bug#1110033: unblock: openssh/1:10.0p1-6
On Fri, Aug 01, 2025 at 01:10:47PM +0000, Ivo De Decker wrote:
As mentioned on IRC, I added the unblock, but I'm leaving the bug open for
now, to see if we want to add additional changes.
At least this will allow the change to get into trixie, and should allow us to
collect feedback from users who upgrade in the coming days.
Thanks!
On Fri, Aug 01, 2025 at 12:06:50PM +0100, Colin Watson wrote:
I haven't tested this as yet, but do you think it would be better? It
seemed clearest to use the same condition in the preinst and postinst, but I
could be persuaded either way.
I'm inclined to prefer the version that removes the diversion in all cases
where /usr/sbin/sshd.session-split exists. If that exists, it means the
diversion is still there, and it must be removed, even if the postinst doesn't
think we're upgrading from an older version. If it doesn't exist, there's no
harm in having this code in the postinst.
Maybe it could also be useful to add some specific output when this is
happening. That could make it easier to debug things if unexpected corner
cases were to show up. I don't really have a good suggestion of the conditions
under which it would be good to give additional output (without alarming users
in the standard scenario), though.
OK, I added a message which I think is not too alarming, and ran it
through all the same tests as before:
Setting up openssh-server (1:10.0p1-7) ...
Installing new version of config file /etc/pam.d/sshd ...
Installing new version of config file /etc/ssh/moduli ...
Replacing config file /etc/ssh/sshd_config with new version
Finishing upgrade from pre-9.8 monolithic sshd ...
Removing 'diversion of /usr/sbin/sshd to /usr/sbin/sshd.session-split by openssh-client'
ssh.socket is a disabled or a static unit not running, not starting it.
Created symlink /etc/systemd/system/ssh.service.wants/sshd-keygen.service → /lib/systemd/system/sshd-keygen.service.
Created symlink /etc/systemd/system/sshd.service.wants/sshd-keygen.service → /lib/systemd/system/sshd-keygen.service.
Created symlink /etc/systemd/system/sshd@.service.wants/sshd-keygen.service → /lib/systemd/system/sshd-keygen.service.
Created symlink /etc/systemd/system/ssh.socket.wants/sshd-keygen.service → /lib/systemd/system/sshd-keygen.service.
debdiff attached, and I've uploaded this to unstable since (as mentioned
on IRC) I'm about to be away for a couple of days and you probably want
to be able to get the refined version in ASAP.
Thanks,
--
Colin Watson (he/him) [cjwatson@debian.org]
diff --git a/debian/changelog b/debian/changelog
index 8fedadf2f..eadb5be63 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+openssh (1:10.0p1-7) unstable; urgency=medium
+
+ * Make postinst logic for cleaning up the sshd diversion more robust.
+
+ -- Colin Watson <cjwatson@debian.org> Fri, 01 Aug 2025 16:02:27 +0100
+
openssh (1:10.0p1-6) unstable; urgency=medium
* Temporarily divert /usr/sbin/sshd during upgrades from before
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index c0d43006d..498777ad6 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -116,7 +116,7 @@ if [ "$action" = configure ]; then
systemctl disable ssh.service
fi
# begin-remove-after: released:forky
- if dpkg --compare-versions "$2" lt-nl 1:9.8p1-1~; then
+ if [ -e /usr/sbin/sshd.session-split ]; then
# We're ready to restart the listener process so that it
# executes sshd-session rather than sshd for new
# connections, so we can remove this diversion now. This
@@ -126,11 +126,10 @@ if [ "$action" = configure ]; then
#
# See openssh-server.preinst for why we use this odd package
# name.
+ echo "Finishing upgrade from pre-9.8 monolithic sshd ..."
dpkg-divert --package openssh-client --remove --no-rename \
--divert /usr/sbin/sshd.session-split /usr/sbin/sshd
- if [ -e /usr/sbin/sshd.session-split ]; then
- mv -f /usr/sbin/sshd.session-split /usr/sbin/sshd
- fi
+ mv -f /usr/sbin/sshd.session-split /usr/sbin/sshd
fi
# end-remove-after
fi
Reply to: