Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Mar 2012 08:12:19 +0100
From:      Grzegorz Blach <magik@roorback.net>
To:        Cy Schubert <Cy.Schubert@komquats.com>
Cc:        Mel Flynn <rflynn@acsalaska.net>, freebsd-ports@freebsd.org
Subject:   Re: security/openssh-portable
Message-ID:  <4F619653.3080103@roorback.net>
In-Reply-To: <201203142001.q2EK1kre039910@slippy.cwsent.com>
References:  <201203142001.q2EK1kre039910@slippy.cwsent.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 03/14/2012 09:01 PM, Cy Schubert wrote:
> In message<4F60EF46.2040405@acsalaska.net>, Mel Flynn writes:
>> Hello Cy,
>>
>> On 3/14/2012 08:57, Cy Schubert wrote:
>>
>> [snip]
>>
>>> What I propose to do is remove the GSSAPI
>>> patch from security/openssh-portable and for those who need the GSSAPI
>>> server key exchange, create a new port (through a repocopy of course) which
>>
>>> includes the illinois.edu GSI patch with reworked FreeBSD patches resolving
>>
>>> patch conflicts, calling it security/openssh-portable-gsi. Does this make
>>> any sense to anyone?
>>>
>>> Or, instead of the above, just include the GSI patch by default in a
>>> one-size-fits-all openssh-portable port? (Meaning that the GSI patch is
>>> applied regardless.) Does this make more sense to people?
>>
>> Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I
>> don't find that an issue, but others may.
>
> Given that the current LPK patch is unmaintained by our upstream, I think
> it should be removed and we either move toward a one size fits all port or
> have a second port with the one-size-fits-all GSI patch. Basically the
> current hodgepodge of patches in this port are unmaintainable, which is why
> this port is usually slow to be updated.
>
> We can address the KRB5 requirement with an ifdefs.
>
> I'm leaning toward gutting a one-size-fits-all approach with patches that
> are maintainable. Secondly, if there are requirements for an insecure
> backlevel port, we could repocopy it. I'm not entirely enamoured with that
> idea, caveat emptor of course.
>
>>
>> I'm also keeping a local fix you might want to properly integrate into
>> the LPK patch: it fixes a bug that TLS cannot be turned off if
>> LPKLdapConf is used.
>
> If I go ahead and have the port repocopied and move forward with this, I'll
> see if I can include this patch.
>
> I'll give it another day before making the repocopy request. The current
> port should be repocopied to openssh-portable58 and the new port assume the
> openssh-portable name.
>
> I've yet to hear from the maintainer of this port for his thoughts on this.
>
>

I (maintainer of security/openssh-portable) need one or two days to 
review GSI patch and other patches which are available for openssh-5.9.
But repocopy security/openssh-portable to security/openssh-portable58
and upgrade security/openssh-portable to 5.9 sound reasonable.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F619653.3080103>