[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: Debian openssh option review: considering splitting out GSS-API key exchange
From:       Michael Stone <mstone () debian ! org>
Date:       2024-04-03 19:59:37
Message-ID: 678e1898-f1f4-11ee-9b6a-00163eeb5320 () msgid ! mathom ! us
[Download RAW message or body]

On Tue, Apr 02, 2024 at 01:30:10AM +0100, Colin Watson wrote:
>   * add dependency-only packages called something like
>     openssh-client-gsskex and openssh-server-gsskex, depending on their
>     non-gsskex alternatives
>   * add NEWS.Debian entry saying that people need to install these
>     packages if they want to retain GSS-API key exchange support
>   * add release note saying the same
>
> * for Debian trixie+1 (or maybe after the next Ubuntu LTS, depending on
>   exact timings):
>
>   * add separate openssh-gsskex source package, carrying gssapi.patch
>     in addition to whatever's in openssh, and whose binary packages
>     Conflicts/Replaces/Provides the corresponding ones from openssh
>   * add some kind of regular CI to warn about openssh-gsskex being out
>     of date relative to openssh
>   * drop gssapi.patch from openssh, except for small patches to
>     configuration file handling to accept the relevant options with
>     some kind of informative warning (compare
>     https://bugs.debian.org/152657)

To speed things up for those who really want it, perhaps make 
openssh-client/server dependency-only packages on 
openssh-client/server-nogss? People can choose the less-compatible 
version for this release if they want to, and the default can change 
next release. Pushing back the ability to install the unpatched version 
for a few more years seems suboptimal.

[prev in list] [next in list] [prev in thread] [next in thread]