[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#828475: openssh: Please migrate to openssl1.1 in Buster

Sebastian Andrzej Siewior <sebastian@breakpoint.cc> writes:

> Well, one way sure. You get features from the fork which upstream does
> not provide and the Debian version does not have. I had a brief look
> into debian patch queue and there was something regarding ldap and the
> fork mentioned something about ldap among other things so it looked like
> a win-win. Not to mention the openssl 1.1 support.

I think it would be a drastic mistake for our users and our security
posture for Debian to switch to an almost-unknown, single-maintainer fork
of a package as critical to system security as OpenSSH.  This isn't the
kind of package on which you can take that kind of chance.

I suspect Colin understandably regrets even taking the GSSAPI patch (as
much as it has made things hugely better for the Kerberos community and
has allowed Debian to drop other Kerberos software that was a collection
of security vulnerabilities waiting to happen).  For this type of package,
it's to everyone's advantage to stay as close to the center of the road
everyone else is driving on as possible and pool security audit and
incident response resources.

The only way I could see a fork making sense is if a bunch of
distributions with similar problems decided to pursue a stable fork and
companies like Red Hat or Canonical started throwing significant
development resources behind that fork.  But I think that's rather
unlikely to happen.

> There was a glibc -> eglibc switch a while ago. One of the "features" of
> eglibc was a maintained arm and mips port. They switched back to glibc
> after all the eglibc features went into glibc. So that was kind of the
> perspective I was looking at it.

Debian switched to eglibc partly because much of the glibc development
community had switched to eglibc, and it was a healthier and more vibrant
project with more eyes on it (due to serious governance problems with the
glibc project at the time).  Debian didn't so much switch back as the
original glibc was abandoned and eglibc *became* glibc in every meaningful
way except for some details on how source trees were managed.  The
governance of glibc now is essentially from eglibc.

This is not at all an analogous situation.  OpenSSH is not in trouble as a
project, this fork is not replacing it or causing any mass defection of
developers, and all the development energy is with the current upstream.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: