On Wed, Aug 12, 2015 at 11:56:06AM +0200, Daniel Baumann wrote:
> retitle 785190 new upstream (7.0p1)
> thank
>
> we're at 7.0 now
Indeed we are. Apologies for slacking on this: my main problem was
rebasing the GSSAPI key exchange patch, since some code it depends on
changed quite a bit in 6.8p1 and I'd been very short of time to sit and
stare at it sufficiently to work out the correct way to rebase it. I
realised recently that Fedora carries a similar patch and has upgraded,
though, so I've borrowed from their patch to get over this hurdle. My
tree is up as far as 6.9p1 now and I'm in the final stages of preparing
an upload.
7.0p1 is trickier. Not because the actual upgrade is hard, but, well.
I left this comment in my changelog:
* There are some things I want to fix before upgrading to 7.0p1, though I
intend to do that soon. In the meantime, backport security patches:
I owe you an explanation for that, but it was a bit too verbose for the
changelog. The main reason is that Twisted Conch does not support SHA-2
or other cryptographic improvements that OpenSSH 7.0p1 now requires.
Here are some relevant bugs:
https://twistedmatrix.com/trac/ticket/5350
https://twistedmatrix.com/trac/ticket/7672
https://twistedmatrix.com/trac/ticket/7717
As you can see from the second of those, I tried to attack this a while
ago but didn't have time to follow up on the review. But we use Twisted
Conch in my day job for {bazaar,git}.launchpad.net, and if I suddenly
cause everyone's default configuration not to work with that, I'm going
to find myself spending a disproportionate amount of time on user
support all of a sudden, which will take time away from actually fixing
the problem.
I realise this is kind of an unsatisfying explanation if you don't rely
on interoperability with Twisted Conch. I don't want to be in the
position of holding back obvious upstream security improvements even
partially for selfish reasons (though I'm sure other folks use Twisted
Conch too; and in any case the IT risk and compliance folks at work have
been hassling us to get this fixed), so I plan to work on this very soon
and in any event promise now that Debian jessie will release with
OpenSSH >= 7.0p1. I just wanted to explain why this is going to take a
bit longer than would be ideal.
If it takes more than a week or so to make progress on the Twisted Conch
side of things, I'll at least prepare an update to 7.0p1 for
experimental so that things aren't completely stalled.
--
Colin Watson [cjwat...@debian.org]
