The GSS-API split

To: debian-ssh@lists.debian.org
Subject: The GSS-API split
From: Andreas Hasenack <andreas@canonical.com>
Date: Mon, 11 Nov 2024 15:14:58 -0300
Message-id: <[🔎] CANYNYEHxTYF4CdpNOMkJJX5g0atcaMM5bWb1+J8tY_kHMW9yhg@mail.gmail.com>
In-reply-to: <[🔎] CANYNYEFWkThAtwYSG6eJugqrWTA7UUEFL6KzG=J4VkgxHkSF8Q@mail.gmail.com>
References: <[🔎] CANYNYEFWkThAtwYSG6eJugqrWTA7UUEFL6KzG=J4VkgxHkSF8Q@mail.gmail.com>

Hi all,

I'm aware of the upcoming split[1] in openssh packages. This will of
course affect, and benefit, downstream distributions, like Ubuntu,
which also carries the key exchange patch.

It's my understanding we will have two openssh src packages, right?
One will produce binaries built without --with-kerberos5, and the
other will enable kerberos5/gssapi, and the key exchange patch,
correct?

In this cycle Ubuntu would like to try the unique-ccache patch[2] from
Fedora, as we have seen some demand[3] for it. I understand it feels
like the same trap that the key exchange patch created, but having the
packages/builds split like described above will help reduce the risk
of this change and make it opt-in basically. We have been trying out
that patch out in jammy and noble with a launchpad recipe for daily
builds, and have also added DEP8 tests specifically for the changes
the patch introduces. So far, so good.

Do you have an idea when the work on this split will continue, or more
details in general?


1. https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-August/041553.html
2. https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-gssapi-new-unique.patch
3. https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1889548

Reply to:

References:
- The GSS-API split
  - From: Andreas Hasenack <andreas@canonical.com>

Prev by Date: The GSS-API split
Next by Date: Re: The GSS-API split
Previous by thread: The GSS-API split
Next by thread: Re: The GSS-API split
Index(es):
- Date
- Thread