Date: Wed, 14 Mar 2012 13:01:46 -0700 From: Cy Schubert <Cy.Schubert@komquats.com> To: Mel Flynn <rflynn@acsalaska.net> Cc: magik@roorback.net, freebsd-ports@freebsd.org Subject: Re: security/openssh-portable Message-ID: <201203142001.q2EK1kre039910@slippy.cwsent.com> In-Reply-To: Message from Mel Flynn <rflynn@acsalaska.net> of "Wed, 14 Mar 2012 20:19:34 BST." <4F60EF46.2040405@acsalaska.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <4F60EF46.2040405@acsalaska.net>, Mel Flynn writes: > Hello Cy, > > On 3/14/2012 08:57, Cy Schubert wrote: > > [snip] > > > What I propose to do is remove the GSSAPI > > patch from security/openssh-portable and for those who need the GSSAPI > > server key exchange, create a new port (through a repocopy of course) which > > > includes the illinois.edu GSI patch with reworked FreeBSD patches resolving > > > patch conflicts, calling it security/openssh-portable-gsi. Does this make > > any sense to anyone? > > > > Or, instead of the above, just include the GSI patch by default in a > > one-size-fits-all openssh-portable port? (Meaning that the GSI patch is > > applied regardless.) Does this make more sense to people? > > Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I > don't find that an issue, but others may. Given that the current LPK patch is unmaintained by our upstream, I think it should be removed and we either move toward a one size fits all port or have a second port with the one-size-fits-all GSI patch. Basically the current hodgepodge of patches in this port are unmaintainable, which is why this port is usually slow to be updated. We can address the KRB5 requirement with an ifdefs. I'm leaning toward gutting a one-size-fits-all approach with patches that are maintainable. Secondly, if there are requirements for an insecure backlevel port, we could repocopy it. I'm not entirely enamoured with that idea, caveat emptor of course. > > I'm also keeping a local fix you might want to properly integrate into > the LPK patch: it fixes a bug that TLS cannot be turned off if > LPKLdapConf is used. If I go ahead and have the port repocopied and move forward with this, I'll see if I can include this patch. I'll give it another day before making the repocopy request. The current port should be repocopied to openssh-portable58 and the new port assume the openssh-portable name. I've yet to hear from the maintainer of this port for his thoughts on this. -- Cheers, Cy Schubert <Cy.Schubert@komquats.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203142001.q2EK1kre039910>