On Sat, Oct 11, 2014 at 08:14:58AM +0000, Mike Gabriel wrote: > On Fr 10 Okt 2014 01:36:17 CEST, Colin Watson wrote: > >I'm a bit wary given upstream's fairly strenuous objections. In cases > >where I feel I know something better than upstream I do sometimes decide > >to carry a patch anyway of course, but in this case I'm far from a > >relevant expert. Do you think that perhaps somebody could re-engage > >with that upstream bug and see if they can work through the objections? > > I guess the discussion is about security models. Whereas X11 has a > security model and thus can justify using kernel namespace sockets > (the argument a file socket with 0777 is equivalent to a kernel > namespace socket fully applies IMHO...). I think it is not on the > OpenSSH side to judge the concept of kernel namespace sockets to be > good or bad. > > The point is, X11 uses them, has a security model behind the X11 > socket files (or kernel namespace sockets) and the X11 developers > announced the possibility to drop the file sockets complete. > > For X2Go (a while back), I implemented kernel namespace socket > support for nxagent [1] and nxproxy [2]. The nxproxy patch [2] I > immitated from the OpenSSH abstract socket support in Fedora and it > works very well with nxproxy. > > Furthermore, this kernel namespace patch for OpenSSH only affects > X11 forwarding. So, OpenSSH should really adapt to what the X11 come > up with.
Thanks, but I'm not asking you to persuade me, I'm asking for somebody to persuade upstream. That's probably going to involve communication on the upstream bug and/or on openssh-unix-dev. Cheers, -- Colin Watson [[email protected]] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
