Package: openssh Version: 1:10.2p1-5 Hi!
The Debian OpenSSH package contains the following files which are generated from external sources, and are not re-built during build: https://sources.debian.org/src/openssh/1%3A10.2p1-5/ed25519.c https://sources.debian.org/src/openssh/1%3A10.2p1-5/libcrux_mlkem768_sha3.h https://sources.debian.org/src/openssh/1%3A10.2p1-5/sntrup761.c The process to re-generate the files are detailed by upstream in: https://sources.debian.org/src/openssh/1%3A10.2p1-5/ed25519.sh https://sources.debian.org/src/openssh/1%3A10.2p1-5/mlkem768.sh https://sources.debian.org/src/openssh/1%3A10.2p1-5/sntrup761.sh These scripts are well-written and I have confirmed that they work, but they require some external source code files that somehow would have to be included in Debian. It would be nice if we only rely on generated files after rebuilding them from the actual real source code. I suppose upstream OpenSSH will react on security vulnerabilities in these generated files, but if someone release a fix for some vulnerability in any of the upstream source code (or the tools used to generate the files), we could issue a security fix more quickly. /Simon
signature.asc
Description: PGP signature
