Bug#484269: marked as done (openssh-blacklist bloats small debian systems with sshd)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 8 Jun 2008 19:21:05 +0100
with message-id <20080608182105.GW16645@riva.ucam.org>
and subject line Re: Bug#484269: openssh-blacklist bloats small debian systems with sshd
has caused the Debian Bug report #484269,
regarding openssh-blacklist bloats small debian systems with sshd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
484269: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484269
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: openssh-blacklist bloats small debian systems with sshd
• From: Wolfgang Walter <wolfgang.walter@stwm.de>
• Date: Tue, 3 Jun 2008 12:55:35 +0200
• Message-id: <200806031255.35558.wolfgang.walter@stwm.de>

Package: openssh-server
Version: 1:4.7p1-12
Severity: important

openssh-server depends on openssh-blacklist. This enhances the size of an 
small debian system significantly. 

I think it es wrong to force the blacklist on every user of openssh.

openssh-server should:

* check at runtime if blacklists are installed. It may log a warning message 
if it does not find blacklists (by default, which must be switched off 
explicitely in the sshd_config file)
* and only recommend the openssh-blacklist package

Alternatively debian could provide a package which provides openssh-blacklist 
but actually do not contain any blacklists.

Regards
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

--- End Message ---

--- Begin Message ---

• To: 484269-done@bugs.debian.org
• Subject: Re: Bug#484269: openssh-blacklist bloats small debian systems with sshd
• From: Colin Watson <cjwatson@debian.org>
• Date: Sun, 8 Jun 2008 19:21:05 +0100
• Message-id: <20080608182105.GW16645@riva.ucam.org>
• In-reply-to: <200806031255.35558.wolfgang.walter@stwm.de>
• References: <200806031255.35558.wolfgang.walter@stwm.de>

tags 484269 wontfix
thanks

On Tue, Jun 03, 2008 at 12:55:35PM +0200, Wolfgang Walter wrote:
> Package: openssh-server
> Version: 1:4.7p1-12
> Severity: important
> 
> openssh-server depends on openssh-blacklist. This enhances the size of an 
> small debian system significantly. 
> 
> I think it es wrong to force the blacklist on every user of openssh.

I'm afraid I disagree. This is sufficiently important to the health of
the Internet (and I don't actually think I'm exaggerating) that I judged
it critical to take more extreme measures than usual to deploy the
blacklist. We had to make some compromises on the contents to keep it
vaguely reasonable.

Consider: without the blacklist, it is unlikely that the majority of
administrators would deploy it, and so it becomes trivial to write a
worm.

> openssh-server should:
> 
> * check at runtime if blacklists are installed. It may log a warning message 
> if it does not find blacklists (by default, which must be switched off 
> explicitely in the sshd_config file)

It already does this. The dependency is artificial but intentional.

> Alternatively debian could provide a package which provides openssh-blacklist 
> but actually do not contain any blacklists.

You are welcome to do this yourself, using the equivs package; it's
actually rather easy to do locally. I don't think Debian should provide
it as such.

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---