On Mon, Nov 11, 2024 at 03:04:05PM -0300, Andreas Hasenack wrote: > I'm aware of the upcoming split[1] in openssh packages. This will of > course affect, and benefit, downstream distributions, like Ubuntu, > which also carries the key exchange patch. > > It's my understanding we will have two openssh src packages, right? > One will produce binaries built without --with-kerberos5, and the > other will enable kerberos5/gssapi, and the key exchange patch, > correct?
Correct. > In this cycle Ubuntu would like to try the unique-ccache patch[2] from > Fedora, as we have seen some demand[3] for it. I understand it feels > like the same trap that the key exchange patch created, but having the > packages/builds split like described above will help reduce the risk > of this change and make it opt-in basically. We have been trying out > that patch out in jammy and noble with a launchpad recipe for daily > builds, and have also added DEP8 tests specifically for the changes > the patch introduces. So far, so good. Well, I suppose it just goes with the other pile of GSS-API-related things. > Do you have an idea when the work on this split will continue, or more > details in general? https://lists.debian.org/debian-devel/2024/04/msg00044.html has a timeline, in the "GSS-API key exchange" section. The only change is that I'm calling the packages openssh-*-gssapi rather than openssh-*-gsskex, and pushing GSS-API authentication out to the other side of the split along with key exchange. It is necessary to wait for a Debian stable release with openssh-*-gssapi before proceeding, to give people an opportunity for a graceful upgrade. Since Ubuntu has not kept up well with openssh merges (still on 9.7p1!), you don't have the openssh-*-gssapi binary packages yet. I _strongly_ recommend that you get those merged along with the many other fixes from upstream that you're missing, get them into 26.04 LTS with a suitable release note telling people to install the openssh-*-gssapi packages if they need GSS-API authentication or key exchange, and then you'll be able to follow the source package split in 26.10 or later. -- Colin Watson (he/him) [[email protected]]
