Re: The GSS-API split

To: debian-ssh@lists.debian.org
Subject: Re: The GSS-API split
From: Andreas Hasenack <andreas.hasenack@canonical.com>
Date: Tue, 12 Nov 2024 09:33:14 -0300
Message-id: <[🔎] CANYNYEG08gKpzrnN3rHpcn3v-KYUP3dhJqdEeBkgDkbwsuiR0Q@mail.gmail.com>
In-reply-to: <[🔎] ZzJ9l8p9Hha_iH-q@riva.ucam.org>
References: <[🔎] CANYNYEFWkThAtwYSG6eJugqrWTA7UUEFL6KzG=J4VkgxHkSF8Q@mail.gmail.com> <[🔎] ZzJ9l8p9Hha_iH-q@riva.ucam.org>

Hi,

On Mon, Nov 11, 2024 at 6:57 PM Colin Watson <cjwatson@debian.org> wrote:
>
> On Mon, Nov 11, 2024 at 03:04:05PM -0300, Andreas Hasenack wrote:
> > I'm aware of the upcoming split[1] in openssh packages. This will of
> > course affect, and benefit, downstream distributions, like Ubuntu,
> > which also carries the key exchange patch.
> >
> > It's my understanding we will have two openssh src packages, right?
> > One will produce binaries built without --with-kerberos5, and the
> > other will enable kerberos5/gssapi, and the key exchange patch,
> > correct?
>
> Correct.
>
> > In this cycle Ubuntu would like to try the unique-ccache patch[2] from
> > Fedora, as we have seen some demand[3] for it. I understand it feels
> > like the same trap that the key exchange patch created, but having the
> > packages/builds split like described above will help reduce the risk
> > of this change and make it opt-in basically. We have been trying out
> > that patch out in jammy and noble with a launchpad recipe for daily
> > builds, and have also added DEP8 tests specifically for the changes
> > the patch introduces. So far, so good.
>
> Well, I suppose it just goes with the other pile of GSS-API-related
> things.

Yes

>
> > Do you have an idea when the work on this split will continue, or more
> > details in general?
>
> https://lists.debian.org/debian-devel/2024/04/msg00044.html has a
> timeline, in the "GSS-API key exchange" section.  The only change is
> that I'm calling the packages openssh-*-gssapi rather than
> openssh-*-gsskex, and pushing GSS-API authentication out to the other
> side of the split along with key exchange.

So the change you have in testing/trixie now is the full extent of
what you plan to do there, just have the *-gssapi packages there,
empty but for deps, which in trixie+1 will have actual content and be
built from the new src package?

>
> It is necessary to wait for a Debian stable release with
> openssh-*-gssapi before proceeding, to give people an opportunity for a
> graceful upgrade.

Do you plan on having the new src package in trixie experimental perhaps?

>
> Since Ubuntu has not kept up well with openssh merges (still on 9.7p1!),
> you don't have the openssh-*-gssapi binary packages yet.  I _strongly_
> recommend that you get those merged along with the many other fixes from
> upstream that you're missing, get them into 26.04 LTS with a suitable
> release note telling people to install the openssh-*-gssapi packages if
> they need GSS-API authentication or key exchange, and then you'll be
> able to follow the source package split in 26.10 or later.

Yeah, the merge is behind.

I was hoping to start this change now, for 25.04, or 25.10 at the
latest, so that it would have stabilized for 26.04.  There is no
indication of when trixie will be released yet, right, just "sometime
in 2025"?

Reply to:

Follow-Ups:
- Re: The GSS-API split
  - From: Colin Watson <cjwatson@debian.org>

References:
- The GSS-API split
  - From: Andreas Hasenack <andreas@canonical.com>
- Re: The GSS-API split
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: The GSS-API split
Next by Date: Re: The GSS-API split
Previous by thread: Re: The GSS-API split
Next by thread: Re: The GSS-API split
Index(es):
- Date
- Thread