Bug#794759: marked as done (please keep openssh-sftp-server optional)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#794759: marked as done (please keep openssh-sftp-server optional)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 06 Aug 2015 11:42:06 +0000
Message-id: <[🔎] handler.794759.D794759.143886119429235.ackdone@bugs.debian.org>
References: <20150806113940.GC2220@riva.ucam.org> <[🔎] 55C344F4.9080505@aixigo.de>

Your message dated Thu, 6 Aug 2015 12:39:40 +0100
with message-id <20150806113940.GC2220@riva.ucam.org>
and subject line Re: Bug#794759: please keep openssh-sftp-server optional
has caused the Debian Bug report #794759,
regarding please keep openssh-sftp-server optional
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
794759: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794759
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: please keep openssh-sftp-server optional
From: Harald Dunkel <harald.dunkel@aixigo.de>
Date: Thu, 6 Aug 2015 13:28:52 +0200
Message-id: <[🔎] 55C344F4.9080505@aixigo.de>

Package: openssh-server
Version: 1:6.6p1-4

Hi folks,

How comes that openssh-server depends upon openssh-sftp-server,
but openssh-sftp-server just recommends openssh-server ?
sftp-server(8) says

"sftp-server is not intended to be called directly, but from
sshd(8) using the Subsystem option."

i.e. sftp-server is not supposed to be used without sshd.
Is it possible that the package dependencies got mixed up
here?

For security concerns I would prefer to not install and
enable sftp-server at all, as it was intended by upstream.
One security relevant package less to worry about.

It would be very nice if this could be fixed.


Thanx in advance
Harri

--- End Message ---

--- Begin Message ---

To: Harald Dunkel <harald.dunkel@aixigo.de>, 794759-close@bugs.debian.org
Subject: Re: Bug#794759: please keep openssh-sftp-server optional
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 6 Aug 2015 12:39:40 +0100
Message-id: <20150806113940.GC2220@riva.ucam.org>
In-reply-to: <[🔎] 55C344F4.9080505@aixigo.de>
References: <[🔎] 55C344F4.9080505@aixigo.de>

Control: tag -1 wontfix

On Thu, Aug 06, 2015 at 01:28:52PM +0200, Harald Dunkel wrote:
> How comes that openssh-server depends upon openssh-sftp-server,
> but openssh-sftp-server just recommends openssh-server ?

openssh-sftp-server can be used by other SSH servers such as dropbear,
which is why it was split out; the split was not intended to allow
people to install the OpenSSH server without its sftp-server component.

Also, it has to be this way round to avoid breaking upgrades, since
openssh-server historically shipped the sftp server as well.

> For security concerns I would prefer to not install and
> enable sftp-server at all, as it was intended by upstream.

Upstream ships the whole lot in one bundle, of course; there's no
violation of upstream intent here.  You can always simply disable it in
your configuration.

Sorry, I'm not going to invert the dependencies in this case.

Regards,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---

Reply to:

References:
- Bug#794759: please keep openssh-sftp-server optional
  - From: Harald Dunkel <harald.dunkel@aixigo.de>

Prev by Date: Re: Bug#794755: systemd kills ssh-server
Next by Date: [bts-link] source package openssh
Previous by thread: Bug#794759: please keep openssh-sftp-server optional
Next by thread: Re: Bug#794755: systemd kills ssh-server
Index(es):
- Date
- Thread