Bug#897950: Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
On Sun, 26 Dec 2021, Samuel Henrique wrote: 1. How is it "a better maintained library" ? I assume this is judging by the amount of recent commits on both projects, so it's not a perfect metric and it's gonna be hard to argue for it in case of disagreement. My assumption might be wrong though and the people who said it could have different metrics for it. I won't say they are, but it *could* be that some people involved there are biased. Of course nobody asked me, but had they, I would have asked for clarification on a lot of those points. Daniel, I won't rush this change and I value your input on this, as both curl and libssh2's upstream, so feel free to take your time to reply. I feel that I'm not on a neutral ground here so I rather avoid taking sides at all. I want the decision to based on sound and solid reasons by people who understand them. Whatever direction it goes. On my initial assessment I couldn't find considerable differences that would weigh in favour of staying with libssh2, I did stumble upon your blogposts talking about performance (libssh2 being better) but they are a bit old and I'm not sure if it's still applicable. Yeah, I haven't done any such comparisons in many years. The situation is much likely very different today. -- / daniel.haxx.se
Bug#1002597: Bug#897950: Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
Hello all, I have replied to Daniel at #897950 (https://bugs.debian.org/897950) Discussions about migrating curl to libssh will follow there. With regards to the libssh-dev build-dep, I have readded it to curl as 7.80.0-3 and Ubuntu will be able to sync again. Note that 7.80.0-3 is not using libssh other than as a build-dep, Debian's curl is still linking against libssh2, it's only on Ubuntu and onwards that they're using libssh. Thank you everyone. -- Samuel Henrique
Bug#897950: Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
Dropping 1002597 from the discussion to focus on 897950. On Sun, 26 Dec 2021 at 10:59, Daniel Stenberg wrote: > What the reason for the switch to begin with? The only reason state in 897950 > seems to be "that's a better maintained library and other distributions > already switched to it". Fedora's wiki states a few security improvements[0], though I didn't double check whether those apply to curl's usage of ssh. > 1. How is it "a better maintained library" ? I assume this is judging by the amount of recent commits on both projects, so it's not a perfect metric and it's gonna be hard to argue for it in case of disagreement. My assumption might be wrong though and the people who said it could have different metrics for it. > 2. Why does it matter what other distros have done? Surely other distros do > all sorts of crazy decisions all the time. Why is this particular one you > think is fine to follow? Let me try to describe where I stand. By following other distros we benefit from a bigger userbase and thus increased chances of receiving patches from those distros through upstream. In the case of syncing with Ubuntu this is even better as they're constantly sending patches back to us. It's a bit of a symbiotic relationship cause they also don't wanna carry over deltas from Debian. It's also sometimes good to try to standardise the packages on a certain library and focus on that, instead of maintaining multiple ones. This is one of the reasons Ubuntu switched to libssh, though I can't say yet if Debian will benefit from this as well (we usually support multiple libraries). This being said, these things don't weigh over "crazy decisions", so we can always divert if we think it's the right thing. Daniel, I won't rush this change and I value your input on this, as both curl and libssh2's upstream, so feel free to take your time to reply. On my initial assessment I couldn't find considerable differences that would weigh in favour of staying with libssh2, I did stumble upon your blogposts talking about performance (libssh2 being better) but they are a bit old and I'm not sure if it's still applicable. >From your message, I believe you are leaning towards sticking with libssh2, and I would be happy to hear your thoughts on it. [0] https://fedoraproject.org/wiki/Changes/libssh-in-libcurl Thank you, -- Samuel Henrique
Bug#1002597: Bug#897950: Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
On Sun, 26 Dec 2021, Samuel Henrique wrote: Well, since we're here now, we should be good to actually switch curl from libssh2 to libssh. Anybody against it? What the reason for the switch to begin with? The only reason state in 897950 seems to be "that's a better maintained library and other distributions already switched to it". 1. How is it "a better maintained library" ? 2. Why does it matter what other distros have done? Surely other distros do all sorts of crazy decisions all the time. Why is this particular one you think is fine to follow? -- / daniel.haxx.se
Bug#897950: Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
Adding 897...@bugs.debian.org to CC, which is asking for curl's switch to libssh > Martin already uploaded libssh and I was able to integrate it into the > bootstrap sequence. That went far quicker than expected. You can revert > the revert now. Well, since we're here now, we should be good to actually switch curl from libssh2 to libssh. Anybody against it? Regards, -- Samuel Henrique
Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
Hi, On Sat, Dec 25, 2021 at 07:41:02PM -0500, Sergio Durigan Junior wrote: > FTR, I'm also fine with waiting until the libssh conundrum is sorted > out. Martin already uploaded libssh and I was able to integrate it into the bootstrap sequence. That went far quicker than expected. You can revert the revert now. Helmut
Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
On Saturday, December 25 2021, Samuel Henrique wrote: > Hello Helmut, > > I've uploaded 7.80.0-2 with a revert for this. > >> So this looks mostly harmless, but involves non-trivial work and I >> didn't check build order yet. Given that curl comes relatively late, I >> don't expect much problems there. >> So can you give me a month? > > Surely, please feel free to take your time, since we are not in a rush. > > For reference, this issue has also been discussed at #1002598 > (https://bugs.debian.org/1002598). Thank you, Helmut and Samuel. FTR, I'm also fine with waiting until the libssh conundrum is sorted out. Cheers, -- Sergio GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36 Please send encrypted e-mail if possible https://sergiodj.net/
Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
Hello Helmut, I've uploaded 7.80.0-2 with a revert for this. > So this looks mostly harmless, but involves non-trivial work and I > didn't check build order yet. Given that curl comes relatively late, I > don't expect much problems there. > So can you give me a month? Surely, please feel free to take your time, since we are not in a rush. For reference, this issue has also been discussed at #1002598 (https://bugs.debian.org/1002598). Thank you -- Samuel Henrique
Bug#1002597: curl: temporarily revert adding libssh-dev to Build-Depends
Source: curl Version: 7.80.0-1 Severity: important Dear curl maintainers, curl has added libssh-dev to Build-Depends. While libssh is cross buildable, it has a lot of unconditional dependencies and cannot be added to the bootstrap set as is. As such, curl has broken architecture bootstrap for all architectures now. I propose that curl temporarily reverts this change. Given a month time, I'll very likely figure out a way to add libssh to the bootstrap set. Is that a workable path forward? libssh build dependencies are: * cmake -> Multi-Arch: foreign * debhelper-compat -> Multi-Arch: foreign * libcmocka-dev -> I guess this could be * libgcrypt-dev -> already part of bootstrap * libkrb5-dev | heimdal-dev -> already part of bootstrap * libssl-dev -> already part of bootstrap * libz-dev -> already part of bootstrap, but needs to become non-virtual * openssh-client -> I guess this could be * openssh-server -> I guess this could be * pkg-config -> Multi-Arch: foreign * python3:any -> annotated :any So this looks mostly harmless, but involves non-trivial work and I didn't check build order yet. Given that curl comes relatively late, I don't expect much problems there. So can you give me a month? Helmut