Re: The GSS-API split

To: debian-ssh@lists.debian.org
Subject: Re: The GSS-API split
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 11 Nov 2024 21:56:39 +0000
Message-id: <[🔎] ZzJ9l8p9Hha_iH-q@riva.ucam.org>
Mail-followup-to: debian-ssh@lists.debian.org
In-reply-to: <[🔎] CANYNYEFWkThAtwYSG6eJugqrWTA7UUEFL6KzG=J4VkgxHkSF8Q@mail.gmail.com>
References: <[🔎] CANYNYEFWkThAtwYSG6eJugqrWTA7UUEFL6KzG=J4VkgxHkSF8Q@mail.gmail.com>

On Mon, Nov 11, 2024 at 03:04:05PM -0300, Andreas Hasenack wrote:
> I'm aware of the upcoming split[1] in openssh packages. This will of
> course affect, and benefit, downstream distributions, like Ubuntu,
> which also carries the key exchange patch.
> 
> It's my understanding we will have two openssh src packages, right?
> One will produce binaries built without --with-kerberos5, and the
> other will enable kerberos5/gssapi, and the key exchange patch,
> correct?

Correct.

> In this cycle Ubuntu would like to try the unique-ccache patch[2] from
> Fedora, as we have seen some demand[3] for it. I understand it feels
> like the same trap that the key exchange patch created, but having the
> packages/builds split like described above will help reduce the risk
> of this change and make it opt-in basically. We have been trying out
> that patch out in jammy and noble with a launchpad recipe for daily
> builds, and have also added DEP8 tests specifically for the changes
> the patch introduces. So far, so good.

Well, I suppose it just goes with the other pile of GSS-API-related
things.

> Do you have an idea when the work on this split will continue, or more
> details in general?

https://lists.debian.org/debian-devel/2024/04/msg00044.html has a
timeline, in the "GSS-API key exchange" section.  The only change is
that I'm calling the packages openssh-*-gssapi rather than
openssh-*-gsskex, and pushing GSS-API authentication out to the other
side of the split along with key exchange.

It is necessary to wait for a Debian stable release with
openssh-*-gssapi before proceeding, to give people an opportunity for a
graceful upgrade.

Since Ubuntu has not kept up well with openssh merges (still on 9.7p1!),
you don't have the openssh-*-gssapi binary packages yet.  I _strongly_
recommend that you get those merged along with the many other fixes from
upstream that you're missing, get them into 26.04 LTS with a suitable
release note telling people to install the openssh-*-gssapi packages if
they need GSS-API authentication or key exchange, and then you'll be
able to follow the source package split in 26.10 or later.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: The GSS-API split
  - From: Andreas Hasenack <andreas.hasenack@canonical.com>

References:
- The GSS-API split
  - From: Andreas Hasenack <andreas@canonical.com>

Prev by Date: The GSS-API split
Next by Date: Re: The GSS-API split
Previous by thread: The GSS-API split
Next by thread: Re: The GSS-API split
Index(es):
- Date
- Thread