Date: Thu, 15 Mar 2012 08:12:19 +0100 From: Grzegorz Blach <magik@roorback.net> To: Cy Schubert <Cy.Schubert@komquats.com> Cc: Mel Flynn <rflynn@acsalaska.net>, freebsd-ports@freebsd.org Subject: Re: security/openssh-portable Message-ID: <4F619653.3080103@roorback.net> In-Reply-To: <201203142001.q2EK1kre039910@slippy.cwsent.com> References: <201203142001.q2EK1kre039910@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/14/2012 09:01 PM, Cy Schubert wrote: > In message<4F60EF46.2040405@acsalaska.net>, Mel Flynn writes: >> Hello Cy, >> >> On 3/14/2012 08:57, Cy Schubert wrote: >> >> [snip] >> >>> What I propose to do is remove the GSSAPI >>> patch from security/openssh-portable and for those who need the GSSAPI >>> server key exchange, create a new port (through a repocopy of course) which >> >>> includes the illinois.edu GSI patch with reworked FreeBSD patches resolving >> >>> patch conflicts, calling it security/openssh-portable-gsi. Does this make >>> any sense to anyone? >>> >>> Or, instead of the above, just include the GSI patch by default in a >>> one-size-fits-all openssh-portable port? (Meaning that the GSI patch is >>> applied regardless.) Does this make more sense to people? >> >> Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I >> don't find that an issue, but others may. > > Given that the current LPK patch is unmaintained by our upstream, I think > it should be removed and we either move toward a one size fits all port or > have a second port with the one-size-fits-all GSI patch. Basically the > current hodgepodge of patches in this port are unmaintainable, which is why > this port is usually slow to be updated. > > We can address the KRB5 requirement with an ifdefs. > > I'm leaning toward gutting a one-size-fits-all approach with patches that > are maintainable. Secondly, if there are requirements for an insecure > backlevel port, we could repocopy it. I'm not entirely enamoured with that > idea, caveat emptor of course. > >> >> I'm also keeping a local fix you might want to properly integrate into >> the LPK patch: it fixes a bug that TLS cannot be turned off if >> LPKLdapConf is used. > > If I go ahead and have the port repocopied and move forward with this, I'll > see if I can include this patch. > > I'll give it another day before making the repocopy request. The current > port should be repocopied to openssh-portable58 and the new port assume the > openssh-portable name. > > I've yet to hear from the maintainer of this port for his thoughts on this. > > I (maintainer of security/openssh-portable) need one or two days to review GSI patch and other patches which are available for openssh-5.9. But repocopy security/openssh-portable to security/openssh-portable58 and upgrade security/openssh-portable to 5.9 sound reasonable.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F619653.3080103>