From owner-freebsd-security@freebsd.org Wed Nov 11 19:28:08 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1255CA2B3C4; Wed, 11 Nov 2015 19:28:08 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D07A3152F; Wed, 11 Nov 2015 19:28:07 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 51AF15A9F12; Wed, 11 Nov 2015 19:28:06 +0000 (UTC) Date: Wed, 11 Nov 2015 19:28:06 +0000 From: Brooks Davis To: Bryan Drewery Cc: Dag-Erling Sm??rgrav , freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151111192806.GB44561@spindle.one-eyed-alien.net> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZfOjI3PrQbgiZnxM" Content-Disposition: inline In-Reply-To: <56428E8A.3090201@FreeBSD.org> User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 19:28:08 -0000 --ZfOjI3PrQbgiZnxM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 10, 2015 at 04:40:42PM -0800, Bryan Drewery wrote: > On 11/10/15 1:42 AM, Dag-Erling Sm??rgrav wrote: > > Some of you may have noticed that OpenSSH in base is lagging far behind > > the upstream code. > >=20 > > The main reason for this is the burden of maintaining the HPN patches. > > They are extensive, very intrusive, and touch parts of the OpenSSH code > > that change significantly in every release. Since they are not > > regularly updated, I have to choose between trying to resolve the > > conflicts myself (hoping I don't break anything) or waiting for them to > > catch up and then figuring out how to apply the new version. > >=20 > > Therefore, I would like to remove the HPN patches from base and refer > > anyone who really needs them to the openssh-portable port, which has > > them as a default option. I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). >=20 > I had this same problem as well, but have since reworked the HPN patch > for ports to be more easily maintained. I've considered offering or > just updating the base SSH, but have not since we have random changes in > the HPN functionality in base that would be lost. We for some reason > decided we were going to maintain our own version and not even upstream > the changes to the HPN authors which has contributed to this situation. We had ever intention of upstreaming our cleaned up HPN patches and some interest from OpenSSH devs to take the window scaling portion of the =20 patch upstream, but other things intruded and we never found time to=20 complete that work. I think both the window scaling and NONE cipher changes are useful, but do not have time to do anything with them. I'm=20 fine with them being removed from base and replaced or just dropped if they are in the way of progress. -- Brooks --ZfOjI3PrQbgiZnxM Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWQ5bFAAoJEKzQXbSebgfAUWUH/jEEMpOsB4bNqGEbu3AUNNzL +jlp+3vTQvTEqL7uuW4t9n9qK1L34mvHtKRD9MI4IIpUi+6kqhryOlX04TqmDk/+ ouoh//8S3zOO31X5UiQTWZ85mYayvYvKyNiiBUzE9GJftrjKzKpmNtHw5gFg+Vcz r5r7MkGEnoz/E4bGhGeg0vqYmTKmthmFdXE39jngoCzfsKWD0HjGkE8gj/sid1Cc X25HfDc/8S65TM+Tew8irlFlzuDxwx8JlogB9QtP5N8ShqtlvABXPtw9sRB/IED6 phpyOAa2OnwMUhLbMoEzUSixRRBRBZHcbNVY6o3db0EyqhwbJx8oc3f3CRc0pRQ= =iMIl -----END PGP SIGNATURE----- --ZfOjI3PrQbgiZnxM--