Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh
On 7/26/20 12:57 PM, Ulrich Mueller wrote: > Even more appropriate would be to enable the flag with an IUSE default. > The ebuild could still display an ewarn message pointing out the alleged > security issue. > > Ulrich This'd be nice. A news-worthy update in my opinion regardless. -- juippis signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh
> On Sun, 26 Jul 2020, Rich Freeman wrote: > Definitely not a "heads up" on the mailing list - that is not an > appropriate way to communicate anything to users - not even devs are > required to read this list. > The two appropriate ways to communicate something like this are > einfo/ewarn/etc or news. Never hurts to use news. Ideally I'd point > to a substitute, and I'd suggest one myself if I were aware of one... Even more appropriate would be to enable the flag with an IUSE default. The ebuild could still display an ewarn message pointing out the alleged security issue. Ulrich signature.asc Description: PGP signature
Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh
On 7/26/20 2:05 AM, Rich Freeman wrote: > The two appropriate ways to communicate something like this are > einfo/ewarn/etc or news. Never hurts to use news. Ideally I'd point > to a substitute, and I'd suggest one myself if I were aware of one... ewarn please, einfo is too weak -- Toralf PGP 23217DA7 9B888F45 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh
On Sat, Jul 25, 2020 at 08:05:14PM -0400, Rich Freeman wrote: > On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard wrote: > > > > This seems like something that needs a news entry, or > > at least a "heads up" on the mailing list? > > Definitely not a "heads up" on the mailing list - that is not an > appropriate way to communicate anything to users - not even devs are > required to read this list. > > The two appropriate ways to communicate something like this are > einfo/ewarn/etc or news. Never hurts to use news. Ideally I'd point > to a substitute, and I'd suggest one myself if I were aware of one... Just to have this information here for easy access, this is upstream's response from that bug's URL [1]. They recommend "rsync or something else": The scp command is a historical protocol (called rcp) which relies upon that style of argument passing and encounters expansion problems. It has proven very difficult to add "security" to the scp model. All attempts to "detect" and "prevent" anomalous argument transfers stand a great chance of breaking existing workflows. Yes, we recognize it the situation sucks. But we don't want to break the easy patterns people use scp for, until there is a commonplace replacement. People should use rsync or something else instead if they are concerned. [1] https://github.com/cpandya2909/CVE-2020-15778/ signature.asc Description: PGP signature
Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh
On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard wrote: > > This seems like something that needs a news entry, or > at least a "heads up" on the mailing list? Definitely not a "heads up" on the mailing list - that is not an appropriate way to communicate anything to users - not even devs are required to read this list. The two appropriate ways to communicate something like this are einfo/ewarn/etc or news. Never hurts to use news. Ideally I'd point to a substitute, and I'd suggest one myself if I were aware of one... -- Rich
[gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh
So I stumbled into Bug #733802, which now defaults the 'scp' USE flag to off in net-misc/openssh. This seems like something that needs a news entry, or at least a "heads up" on the mailing list? Potential for some scripts to break if scp suddenly goes missing after an openssh update. -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org rsa6144/5C63F4E3F5C6C943 2015-04-27 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
