Re: The GSS-API split

To: debian-ssh@lists.debian.org
Subject: Re: The GSS-API split
From: Andreas Hasenack <andreas.hasenack@canonical.com>
Date: Wed, 13 Nov 2024 11:00:11 -0300
Message-id: <[🔎] CANYNYEFo6tAYyv0MkQY9dD0G=ZoYwr55ieCxRwum7oMVEmxH0Q@mail.gmail.com>
In-reply-to: <[🔎] ZzN31AoS3RRmstaf@riva.ucam.org>
References: <[🔎] CANYNYEFWkThAtwYSG6eJugqrWTA7UUEFL6KzG=J4VkgxHkSF8Q@mail.gmail.com> <[🔎] ZzJ9l8p9Hha_iH-q@riva.ucam.org> <[🔎] CANYNYEG08gKpzrnN3rHpcn3v-KYUP3dhJqdEeBkgDkbwsuiR0Q@mail.gmail.com> <[🔎] ZzN31AoS3RRmstaf@riva.ucam.org>

Hi,

On Tue, Nov 12, 2024 at 12:44 PM Colin Watson <cjwatson@debian.org> wrote:
>
> On Tue, Nov 12, 2024 at 09:33:14AM -0300, Andreas Hasenack wrote:
> > > It is necessary to wait for a Debian stable release with
> > > openssh-*-gssapi before proceeding, to give people an opportunity for a
> > > graceful upgrade.
> >
> > Do you plan on having the new src package in trixie experimental perhaps?
>
> "trixie experimental" isn't really a thing, but if you mean "in
> experimental before trixie releases" ... maybe?  I don't really want to
> spend more time than necessary merging changes back and forward between
> source packages though.
>
> > > Since Ubuntu has not kept up well with openssh merges (still on 9.7p1!),
> > > you don't have the openssh-*-gssapi binary packages yet.  I _strongly_
> > > recommend that you get those merged along with the many other fixes from
> > > upstream that you're missing, get them into 26.04 LTS with a suitable
> > > release note telling people to install the openssh-*-gssapi packages if
> > > they need GSS-API authentication or key exchange, and then you'll be
> > > able to follow the source package split in 26.10 or later.
> >
> > Yeah, the merge is behind.
> >
> > I was hoping to start this change now, for 25.04, or 25.10 at the
> > latest, so that it would have stabilized for 26.04.
>
> Well, you'd need to get the empty *-gssapi binary packages into 26.04 in
> order to be able to do the second stage of the split for 28.04.
> Otherwise anyone actually using GSS-API in Ubuntu won't have a
> reasonable upgrade path.

If I understood it correctly, the plan is to let people know via
d/NEWS (already in 1:9.8p1-5), and via release notes, that they should
install *-gssapi packages if they rely on that authentication
mechanism. If they don't use the new packages, when a release to
trixie+1 happens they will lose the ability to authenticate via
gssapi. So there is a user-driven component here: they have to be
aware, and take action. Across release boundaries that is ok, is the
thinking?

> Is there really a good reason that the unique-ccache patch needs to
> block on proceeding further with the package split?  Yes, in theory it
> would reduce the risk a bit, but it's already mostly behind a new
> off-by-default configuration option.  I think that rushing the package

That patch is quite intrusive as well, and there is a risk it might
not apply cleanly on top of a new openssh version, or on top of
another security patch that might come. We have been testing it for
jammy and noble, and such a case hasn't happened yet in all the
openssh updates we released so far, but it's a concern. Probably the
same one you had when you imported the key-exchange patch way back.

I wouldn't want to be in a position where this patch is delaying a
security update to openssh because it's not applying and needs
refactoring. If it's only applied in the other openssh source package,
we would still be able to release the main one quickly, while the
patch is being worked on. But maybe I can't avoid this.

> split in order to apply unique-ccache is bad tactics, and if you want to
> apply unique-ccache then you should just do it in advance of the split.
>
> > There is no indication of when trixie will be released yet, right,
> > just "sometime in 2025"?
>
> Not yet, no.  But if you look at
> https://en.wikipedia.org/wiki/Debian_version_history, Debian's had a
> fairly reliable two-year cadence (plus or minus a few months) since
> 2005, so mid-2025 seems like a pretty good bet.
>
> Given that, I expect that Ubuntu 26.04 will be the blocker for
> proceeding with the second stage of the split, not trixie.

But 26.04 will be based on debian testing from late 2025, likely Forky
already, where the second phase split will be done, or due to be done.
Which would leave us with this upgrade path:
24.04 -> 26.04: no split, to full split
25.10 -> 26.04: first phase split, to full split

Or, if early forky doesn't have the full split:
24.04 -> 26.04: no split, to first phase split
25.10 -> 26.04: first phase split, to same

In the meantime, I'll see who can merge openssh from debian into
plucky (might as well be me).

Reply to:

Follow-Ups:
- Re: The GSS-API split
  - From: Colin Watson <cjwatson@debian.org>

References:
- The GSS-API split
  - From: Andreas Hasenack <andreas@canonical.com>
- Re: The GSS-API split
  - From: Colin Watson <cjwatson@debian.org>
- Re: The GSS-API split
  - From: Andreas Hasenack <andreas.hasenack@canonical.com>
- Re: The GSS-API split
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: The GSS-API split
Next by Date: Re: The GSS-API split
Previous by thread: Re: The GSS-API split
Next by thread: Re: The GSS-API split
Index(es):
- Date
- Thread