Bug#996391: openssh: New upstream version available

To: Michael Prokop <mika@debian.org>, 996391@bugs.debian.org
Subject: Bug#996391: openssh: New upstream version available
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 13 Oct 2021 16:57:40 +0100
Message-id: <[🔎] YWcB9L0HmJjvAgj3@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 996391@bugs.debian.org
In-reply-to: <[🔎] 2021-10-13T17-26-41@devnull.michael-prokop.at>
References: <[🔎] 2021-10-13T17-26-41@devnull.michael-prokop.at> <[🔎] 2021-10-13T17-26-41@devnull.michael-prokop.at>

On Wed, Oct 13, 2021 at 05:38:56PM +0200, Michael Prokop wrote:
> the current upstream version is 8.8p1 (see [1]), I'm sure that
> the package maintainers are aware of this, but I couldn't find any
> tracking bug report about this, so reporting it here. :)
> 
> Given that there are plenty of new features, but also the (upcoming)
> deprecation of scp(1), the disabled RSA signatures using the SHA-1
> hash algorithm,... it would be nice to get a more current OpenSSH
> version in Debian.

I'm indeed aware of this; but this is a good opportunity to explain the
status, so thanks.

The first issue was in sorting out an updated version of the GSS-API key
exchange patch, which these days we maintain in conjunction with Fedora,
but I wanted to sort out a new branch maintenance strategy.  The current
version of this is
https://github.com/openssh-gsskex/openssh-gsskex/pull/23.  (I don't
think it's necessary to wait for review here; I've pulled that PR into
my packaging in progress.)

The second issue was that when I put together updated packaging and
started my usual testing, I discovered that the SSH implementation in
Twisted Conch doesn't support rsa-sha2-* signatures
(https://twistedmatrix.com/trac/ticket/9765).  I've actually known about
this for a while but it had unfortunately slipped my mind.  Fixing this
requires first implementing RFC 8308 extension negotiation, which is
currently pending review as
https://github.com/twisted/twisted/pull/1666.  The reason I care about
this, beyond general interoperability, is that in my day job my team
maintains some SSH endpoints which use Twisted Conch, and it would be
personally very inconvenient if we had to suddenly start fielding lots
of support requests due to the default OpenSSH configuration in Debian
refusing to talk to them; so I realize that isn't necessarily compelling
for everyone, but I'd rather hold off until I get this sorted out.  (I
might stick 8.8p1 packages in experimental before then, though.)

I'll keep pushing on the Twisted issues, and hopefully we can get this
sorted out soon.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

References:
- Bug#996391: openssh: New upstream version available
  - From: Michael Prokop <mika@debian.org>

Prev by Date: Bug#996391: openssh: New upstream version available
Next by Date: Bug#997030: openssh: FTBFS on hurd-i386
Previous by thread: Bug#996391: openssh: New upstream version available
Next by thread: Bug#997030: openssh: FTBFS on hurd-i386
Index(es):
- Date
- Thread