Bug#1109742: unblock: openssh/1:10.0p1-6
Hi Colin,
I'm adding bug 1109742 to Cc, so it's easier to find the discussion in the
unblock request bug (#1110033), if people need to look into this later.
On Fri, Aug 01, 2025 at 04:05:10PM +0100, Colin Watson wrote:
> > On Fri, Aug 01, 2025 at 12:06:50PM +0100, Colin Watson wrote:
> > > I haven't tested this as yet, but do you think it would be better? It
> > > seemed clearest to use the same condition in the preinst and postinst, but I
> > > could be persuaded either way.
> >
> > I'm inclined to prefer the version that removes the diversion in all cases
> > where /usr/sbin/sshd.session-split exists. If that exists, it means the
> > diversion is still there, and it must be removed, even if the postinst doesn't
> > think we're upgrading from an older version. If it doesn't exist, there's no
> > harm in having this code in the postinst.
> >
> > Maybe it could also be useful to add some specific output when this is
> > happening. That could make it easier to debug things if unexpected corner
> > cases were to show up. I don't really have a good suggestion of the conditions
> > under which it would be good to give additional output (without alarming users
> > in the standard scenario), though.
>
> OK, I added a message which I think is not too alarming, and ran it through
> all the same tests as before:
>
> Setting up openssh-server (1:10.0p1-7) ...
> Installing new version of config file /etc/pam.d/sshd ...
> Installing new version of config file /etc/ssh/moduli ...
> Replacing config file /etc/ssh/sshd_config with new version
> Finishing upgrade from pre-9.8 monolithic sshd ...
> Removing 'diversion of /usr/sbin/sshd to /usr/sbin/sshd.session-split by openssh-client'
> ssh.socket is a disabled or a static unit not running, not starting it.
> Created symlink /etc/systemd/system/ssh.service.wants/sshd-keygen.service → /lib/systemd/system/sshd-keygen.service.
> Created symlink /etc/systemd/system/sshd.service.wants/sshd-keygen.service → /lib/systemd/system/sshd-keygen.service.
> Created symlink /etc/systemd/system/sshd@.service.wants/sshd-keygen.service → /lib/systemd/system/sshd-keygen.service.
> Created symlink /etc/systemd/system/ssh.socket.wants/sshd-keygen.service → /lib/systemd/system/sshd-keygen.service.
>
> debdiff attached, and I've uploaded this to unstable since (as mentioned on
> IRC) I'm about to be away for a couple of days and you probably want to be
> able to get the refined version in ASAP.
OK.
I was able to find a corner case in the logic from 1:10.0p1-6:
- start with a bookworm system
- install openssh-server 1:10.0p1-6 (current version in trixie)
- kill the machine during the install
(if there is a change in /etc/ssh/sshd_config, dpkg will ask you what to do
with it, and that's a convenient time to kill a test vm for this)
- boot the system
- purge openssh-server
after this, openssh-server is gone, but /usr/sbin/sshd from bookworm and the
diversion are still there
- install openssh-server 1:10.0p1-6
For dpkg, this is no longer an upgrade, due to the purge, so the diversion
isn't removed and /usr/sbin/sshd from bookworm is still used.
When doing this with 1:10.0p1-7, everything gets cleaned up nicely when
openssh-server is installed in the end.
Obviously, I'm not suggesting that this is a very realistic scenario. Also, it
can probably be argued that the diversion should be cleaned up on purge in any
case, but I'm not going to care about that right now.
Thanks,
Ivo
Reply to: