[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#828475: openssh: Please migrate to openssl1.1 in Buster

On Fri, Oct 13, 2017 at 01:26:45PM +0200, Sebastian Andrzej Siewior wrote:
> On 2017-10-13 01:21:35 [+0100], Colin Watson wrote:
> > I'm sorry, but reminders or not, at this time I do not intend to move to
> > 1.1 in advance of upstream; I consider that far too risky a change (it's
> > a ~4000-line patch to security-critical code, IIRC).  If you want to
> > lobby for this, you need to engage with the objections raised by
> > upstream on the openssh-unix-dev list.
> 
> Okay. My last information is that upstream is doing nothing because they
> want a shim layer provided by openssl-upstream. This did not happen and
> I doubt it will. Is there any new update on the sitution or is this
> really the last update on the situation or was there some progress in
> the meantime?

That's basically the last I recall hearing, and that they were trying to
put pressure on OpenSSL upstream.

> PS: Fedora is shipping an updated / fixed version of the initial patch
>     as far as I am aware.

Look, I sympathise with trying to get everything onto current versions
of library code, I really do.  But it can't possibly be the right answer
for every distribution to ship a giant patch touching most of OpenSSH's
cryptographic internals; the stalemate needs to be broken upstream
somehow.

Also, Red Hat has maintainers paid to deal with forward-porting patches
in Fedora, whereas I'm normally doing it in my limited spare time.  I
don't mind that for patches that are smaller or easier to handle, but in
my assessment this one would be fiddly to deal with as time goes on; the
GSSAPI key exchange patch we're already carrying is complicated enough
already and has sometimes caused delays of weeks or worse in me being
able to merge new upstream versions, so I don't want to exacerbate that
problem.

There's the more complicated question of openssh-ssh1 as well, which is
frozen at an old upstream version now that upstream has dropped SSH1
support.  In that case I'm prepared to cherry-pick an upstream patch and
hunt down the necessary extra adjustments for SSH1 support, but I still
want it upstream first to minimise my liability to making
security-relevant mistakes.

Does it help that OpenSSH only uses libcrypto, not libssh?  If somebody
were to split out the headers relevant to libcrypto into a separate
package, then it'd be possible for openssh to build-depend on that.  (I
have no idea whether OpenSSL's headers are actually separable in this
way.)

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: