[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#828475: openssh: Please migrate to openssl1.1 in Buster



On Mon, Oct 16, 2017 at 08:54:56PM +0200, Sebastian Andrzej Siewior wrote:
> On 2017-10-15 22:06:35 [+0100], Colin Watson wrote:
> > I dislike the idea of switching to a fork even more than the idea of
> > maintaining an enormous patch, I'm afraid - especially one that adds
> > other features, making it a one-way change.
> 
> Well, one way sure. You get features from the fork which upstream does
> not provide and the Debian version does not have. I had a brief look
> into debian patch queue and there was something regarding ldap and the
> fork mentioned something about ldap among other things so it looked like
> a win-win.

I believe (though it's a lot of code to trawl through and I'm not
certain) that the LDAP support in PKIX-SSH is related to X.509
certificates rather than the LDAP public key patch that was requested,
although of course one might be able to use it for somewhat similar
purposes.

> I understand that if you add *more* features which openssh does not
> provide that this makes it hard to switch back. Yes. I actually hope
> that it does not come to that and I assumed that some of those feature
> might be good to have.

The main problem with any big patch, whether it arrives via a fork or
not, is normally configuration.  Add new configuration keys and people
will start using them, which means that it's difficult to ever drop the
patch or switch away from the fork because people's sshds will stop
being able to start.  PKIX-SSH adds a slew of new configuration keys for
X.509 certificate support, and this would be even more complicated to
wind back from than usual because it extends the format of
~/.ssh/authorized_keys and similar.

Furthermore, upstream OpenSSH specifically rejected X.509 certificate
support and did their own certificate format in order to avoid having an
X.509 parser on the security boundary, so PKIX-SSH now has two
similar-but-not-quite-the-same certificate formats.  (And yes, I know
there are differences that make it worthwhile for the PKIX-SSH author to
continue to maintain the X.509 support, but still, it highlights that we
ought to apply more criticism than "some of those features might be good
to have".)

> There was a glibc -> eglibc switch a while ago. One of the "features" of
> eglibc was a maintained arm and mips port. They switched back to glibc
> after all the eglibc features went into glibc. So that was kind of the
> perspective I was looking at it.

The eglibc maintainers were extremely careful about compatibility, as
befits a libc implementation.  As far as I know, users on architectures
that were already well-supported by glibc weren't tied to the fork
particularly tightly: notably, and I think it's the best point of
comparison to the OpenSSH case, there were no EGLIBC_* symbol versions.
The eglibc example doesn't support your case well.

I also generally echo what Russ said in their reply.

> So I guess there is nothing I can do to sell it better?

I'm sorry, but no.  The subject's closed from my point of view, and I
think it's a derailment from the main topic of this bug.

-- 
Colin Watson                                       [cjwatson@debian.org]


Reply to: