[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: Re: Debian openssh option review: considering splitting out GSS-API key exchange
From: Michael Stone <mstone () debian ! org>
Date: 2024-04-03 19:59:37
Message-ID: 678e1898-f1f4-11ee-9b6a-00163eeb5320 () msgid ! mathom ! us
[Download RAW message or body]
On Tue, Apr 02, 2024 at 01:30:10AM +0100, Colin Watson wrote:
> * add dependency-only packages called something like
> openssh-client-gsskex and openssh-server-gsskex, depending on their
> non-gsskex alternatives
> * add NEWS.Debian entry saying that people need to install these
> packages if they want to retain GSS-API key exchange support
> * add release note saying the same
>
> * for Debian trixie+1 (or maybe after the next Ubuntu LTS, depending on
> exact timings):
>
> * add separate openssh-gsskex source package, carrying gssapi.patch
> in addition to whatever's in openssh, and whose binary packages
> Conflicts/Replaces/Provides the corresponding ones from openssh
> * add some kind of regular CI to warn about openssh-gsskex being out
> of date relative to openssh
> * drop gssapi.patch from openssh, except for small patches to
> configuration file handling to accept the relevant options with
> some kind of informative warning (compare
> https://bugs.debian.org/152657)
To speed things up for those who really want it, perhaps make
openssh-client/server dependency-only packages on
openssh-client/server-nogss? People can choose the less-compatible
version for this release if they want to, and the default can change
next release. Pushing back the ability to install the unpatched version
for a few more years seems suboptimal.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic