[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shipping non-OpenSSH scp(1) binary

On Mon, Jul 10, 2017 at 09:55:15PM +0300, Guilhem Moulin wrote:
> Meanwhile I had a look at dropbear's scp variant and AFAICT it's
> actually an almost exact copy of OpenSSH 4.3p2's.  (It's mentioned in
> the headers, and the diff is pretty minimal.)

Could you attach the diff?

> Besides using the dropbear client, it also differs in that it doesn't
> pass options that are not understood by dbclient: ‘-x -oForwardAgent=no
> -oPermitLocalCommand=no -oClearAllForwardings=yes’.
> 
> In the end it seems like it makes little sense for Debian to ship an scp
> fork in the dropbear-bin package.  From the #495795 submitter I
> understood the concern was that with all its dependencies, installing
> OpenSSH's scp can be a problem on embedded systems (in a clean sid
> chroot `apt install --no-install-recommends openssh-client` pulls in 8
> dependencies for a total of 10.3MiB, while `apt install dropbear-bin`
> pulls in 0 dependencies.
> 
> But AFAICT OpenSSH's scp binary could very well be shipped in its own
> package with a dependency on ssh-client | ssh-server (possibly
> recommending both),

Just ssh-client; it has no relationship with the server other than being
invoked by it just like any other program.  I guess you're trying to
allow it to be installed in sink-only mode on servers, but for that I
think "Recommends: ssh-client" would be sufficient.

> libc6, and nothing else.  The dropbear SSH client
> seems to work fine with the current (1:7.5p1-5) OpenSSH scp.  (It spews
> some warnings due to the above options it doesn't understand, but we
> could easily implement them and/or make them a no-op to keep it quiet.)
> IMHO that might be the best way to fix that bug.

Right, if the options in question could be stubbed out or similar then I
think something this approach would make sense.

So something like:

  Package: openssh-client
  Depends: openssh-scp

  Package: openssh-scp
  Recommends: openssh-client | ssh-client
  Breaks: openssh-client (<< first-version-without-scp)
  Replaces: openssh-client (<< first-version-without-scp)

  Package: dropbear-bin
  Recommends: openssh-scp
  Provides: ssh-client, ssh-server

But I think dropbear-bin can only reasonably provide the ssh-client
virtual package if it ships /usr/bin/ssh, and that would also be needed
in order to avoid having to say "scp -S dbclient".  What do you want to
do about this?  I'm not sure how disruptive it would be to make
dropbear-bin non-coinstallable with openssh-client; quite possibly very
disruptive.

Of course the client side only matters if you care about scp's source
mode.  If the main requirement is just to be able to have scp on an
embedded server running dropbear, then you could forget about the
"Provides: ssh-client" and the above would basically work assuming that
you used --no-install-recommends.

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: