From owner-freebsd-ports@FreeBSD.ORG Thu Mar 15 07:17:46 2012 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5BF3106564A for ; Thu, 15 Mar 2012 07:17:46 +0000 (UTC) (envelope-from magik@roorback.net) Received: from roorback.net (ec2-50-17-44-204.compute-1.amazonaws.com [50.17.44.204]) by mx1.freebsd.org (Postfix) with ESMTP id 997158FC14 for ; Thu, 15 Mar 2012 07:17:45 +0000 (UTC) Received: from [10.1.1.66] (unknown [157.25.200.146]) by roorback.net (Postfix) with ESMTPSA id 5EB9D22804; Thu, 15 Mar 2012 08:12:21 +0100 (CET) Message-ID: <4F619653.3080103@roorback.net> Date: Thu, 15 Mar 2012 08:12:19 +0100 From: Grzegorz Blach User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20120130 Thunderbird/10.0 MIME-Version: 1.0 To: Cy Schubert References: <201203142001.q2EK1kre039910@slippy.cwsent.com> In-Reply-To: <201203142001.q2EK1kre039910@slippy.cwsent.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Mel Flynn , freebsd-ports@freebsd.org Subject: Re: security/openssh-portable X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2012 07:17:46 -0000 On 03/14/2012 09:01 PM, Cy Schubert wrote: > In message<4F60EF46.2040405@acsalaska.net>, Mel Flynn writes: >> Hello Cy, >> >> On 3/14/2012 08:57, Cy Schubert wrote: >> >> [snip] >> >>> What I propose to do is remove the GSSAPI >>> patch from security/openssh-portable and for those who need the GSSAPI >>> server key exchange, create a new port (through a repocopy of course) which >> >>> includes the illinois.edu GSI patch with reworked FreeBSD patches resolving >> >>> patch conflicts, calling it security/openssh-portable-gsi. Does this make >>> any sense to anyone? >>> >>> Or, instead of the above, just include the GSI patch by default in a >>> one-size-fits-all openssh-portable port? (Meaning that the GSI patch is >>> applied regardless.) Does this make more sense to people? >> >> Personally, I use HPN and LPK. If KRB5 becomes a requirement for HPN, I >> don't find that an issue, but others may. > > Given that the current LPK patch is unmaintained by our upstream, I think > it should be removed and we either move toward a one size fits all port or > have a second port with the one-size-fits-all GSI patch. Basically the > current hodgepodge of patches in this port are unmaintainable, which is why > this port is usually slow to be updated. > > We can address the KRB5 requirement with an ifdefs. > > I'm leaning toward gutting a one-size-fits-all approach with patches that > are maintainable. Secondly, if there are requirements for an insecure > backlevel port, we could repocopy it. I'm not entirely enamoured with that > idea, caveat emptor of course. > >> >> I'm also keeping a local fix you might want to properly integrate into >> the LPK patch: it fixes a bug that TLS cannot be turned off if >> LPKLdapConf is used. > > If I go ahead and have the port repocopied and move forward with this, I'll > see if I can include this patch. > > I'll give it another day before making the repocopy request. The current > port should be repocopied to openssh-portable58 and the new port assume the > openssh-portable name. > > I've yet to hear from the maintainer of this port for his thoughts on this. > > I (maintainer of security/openssh-portable) need one or two days to review GSI patch and other patches which are available for openssh-5.9. But repocopy security/openssh-portable to security/openssh-portable58 and upgrade security/openssh-portable to 5.9 sound reasonable.