Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
On Tue, Apr 8, 2014 at 8:40 PM, Mike Gilbert flop...@gentoo.org wrote: A bug in an upstream-supported feature is quite different from a patched-in feature that upstream doesn't support. Since no maintainer has spoken up here, I filed a bug: https://bugs.gentoo.org/show_bug.cgi?id=507210 I filed a similar bug about openssl[tls-heartbeat] yesterday: https://bugs.gentoo.org/show_bug.cgi?id=507130 Cheers, Dirkjan
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/08/2014 02:40 PM, Mike Gilbert wrote: Gentoo typically tries to keep patching to a minimum in general. To be enabling something like this by default seems bad, the fact that it is openssh compounds that. +1 for removing the + and leaving this optional (default off). I see no reason to not allow users who want the feature to have it, but let's not pretend that openssh is not important enough to have a little special treatment. Openssh has a fantastic security record, let's see if we can keep it that way by default. - -Zero -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTRLh5AAoJEKXdFCfdEflKD/8P/AlFnU6zMowVgpMaqotg/CzV y8Wa06bO2b0r7us8tZjqM5+D7MhjxPReNQPhd8t4D691USVGV/hLlYziVP1LSQ2O TxlLK9rNw5EtVS3mfTrjPk5oQE+OC7gQ+7z3XENyZcd8BvXA/NTxJxDLMHKOETId PuV6ff9M6v/3g+WSoZzoPL5Co0nknmUiRhemUEopH/CgAsmng9+XWnbSvF7u8jtj l8kHMNAeA6+tm1JIIZwPdfTOOVwbkqTekjGRrl/t9Ozo3fOxJdt2KgDhGfoQkhHc cDdeRNT9Kg146EPzpvnV6yDpNARNLSMC5qVqWPHMBru4O5xxogYx13aaDSa+YhD6 P/kg03WwHPu0Z6iQZI8bebF8oe/vLDK++9wb6IMd4r5MI4i3jhEL/9eVD4GtyNNS 5Rv/cuhYT/Z3rNYfn1FZ9mtpcQXgW4mqAGZDv/ULy7MLg8lhk+aA38mKtYq9b1XU VK8BqW7F2dphOwC3r0gSojW5pk487WwerTIgRutRhX1ordL+M9Oic32OWe8eR2v+ MIKzLRboJt/J+eayGlOQ6boSBcf1BVpFDRkdnI+Qo6qm18faLc8796jaTnBEzR90 Sz/UF01a8lkjjdGr61p+kxNR0cqVXVHYuQFX5gdULGS9E4FLQNq7uz+a0fwFZCxy 0VPMvHuEExnokP3J7gUr =ZbJ3 -END PGP SIGNATURE-
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
On Tue, Apr 8, 2014 at 11:03 PM, Rick Zero_Chaos Farina zeroch...@gentoo.org wrote: Gentoo typically tries to keep patching to a minimum in general. To be enabling something like this by default seems bad, the fact that it is openssh compounds that. +1 for removing the + and leaving this optional (default off). In general I agree with this approach. I think hpn is a bit more of a judgment call as it appears to be fairly mainstream and well-supported. I don't understand why it wasn't merged in, and perhaps the answer to that question might be informative. Still, big patch sets that aren't upstreamed should probably not be the default. Patches needed to integrate a package into Gentoo as a whole should of course be the default, since that is our whole reason for being. Rich
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/09/2014 05:03 AM, Rick Zero_Chaos Farina wrote: On 04/08/2014 02:40 PM, Mike Gilbert wrote: Gentoo typically tries to keep patching to a minimum in general. To be enabling something like this by default seems bad, the fact that it is openssh compounds that. +1 for removing the + and leaving this optional (default off). Just to pitch in that as a user I'm in favor of this approach as well. - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Vincit qui se vincit He who conquers conquers self -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTRWbHAAoJEPw7F94F4TagmS4P/3K3tasMuPXMw/FYmlPLTDbA z84RByRhaq2IX4HDVAL1FRN4NSdDxt7BNOsVn45R3n8Quih1zQIAGOSqpD8NxNZ5 boXOsToLsa+43hT2j5SEOcbG3K79XwxiOQHmwekVFS2dzh2rhnVC0qrGWaCG9I0m x/F2HcuX05F3pQCffzrqclfP+BpN1ohyf5GkOnumqRhvG/AIqxk8cExLDWLJNTjk TYxYL+jutthwWzGmtQmwWVTx7BKaFJVJA6jgIpQoAMq65ihkiGdy844dIfEFo2T+ mrXpc5QH+0UccwIqlbLozpK8N1MUqL4/4lDd3e9D6+uhNOrD0IWQ6kNitrgoG4k8 B72PG85xV/datGB/MRULXLEusRCM+ZZepvDHtpQZVCxydwtQtTdWodi2Bs5iHK1O wrdf1/uQdSEdYQiBM3J63rk9Qr1sEYbPnfR/ploJa5L71XYVxU5S8FdCwJ+iwbHk 3vNtmFW3TJmrKYen/R/3BfiIkYcpf28KOF4Cr1MLoZuwmhNy2cq8964PH2enMV5H 6YS4IQJLei3pEOMcRwRSGfwSh9/+6njHalG6bp6CQ9vHBwuYV8IkBnxdZGBHddMe pLan1n4ICX1AvJdcMO/fOUfPuM0u97eZrRJwe7ZOnFHwit/gfLflGYk3goImKtvk WWX+1mka8U68FXu30toX =qXMp -END PGP SIGNATURE-
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
On 04/09/2014 10:54, Rich Freeman wrote: On Tue, Apr 8, 2014 at 11:03 PM, Rick Zero_Chaos Farina zeroch...@gentoo.org wrote: Gentoo typically tries to keep patching to a minimum in general. To be enabling something like this by default seems bad, the fact that it is openssh compounds that. +1 for removing the + and leaving this optional (default off). In general I agree with this approach. I think hpn is a bit more of a judgment call as it appears to be fairly mainstream and well-supported. I don't understand why it wasn't merged in, and perhaps the answer to that question might be informative. Still, big patch sets that aren't upstreamed should probably not be the default. Patches needed to integrate a package into Gentoo as a whole should of course be the default, since that is our whole reason for being. Part of me thinks it's a time availability issue. OpenSSH is, effectively, a sub-project of OpenBSD, and I believe they focus primarily on making it work on OBSD, followed by the portable releases to other OSes. I myself am testing an updated patch to enable SSH over SCTP that's been sitting in their bug queue[1] for a good while. Working good so far on Linux/amd64, Linux/mips, and FreeBSD/amd64[VM], so I was thinking of adding it to our ebuild via the 'sctp' USE, defaulted to off. That said, I searched the OpenSSH bugzilla for hpn and high performance, and nothing comes back, so it appears that the HPN patch has not been put into their bugzilla. Hence, it's probably not on the priority list for inclusion. This link explains HPN support better: http://www.psc.edu/index.php/hpn-ssh/640 The question at the bottom of that FAQ indicates that the HPN upstream has provided the patch to the OpenSSH devs, but they really should create a bug for it and attach their patch there. Refs: 1. https://bugzilla.mindrot.org/show_bug.cgi?id=2016 -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 4096R/D25D95E3 2011-03-28 The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between. --Emperor Turhan, Centauri Republic
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
W dniu 2014-03-31 19:35, Toralf Förster pisze: On 03/31/2014 01:15 PM, Alex Xu wrote: On 31/03/14 03:36 AM, Dirkjan Ochtman wrote: So, I'm interested... How widely used is the HPN patch set? Are there any good indications that it doesn't negatively impact security? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=292932 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693424 https://lists.fedoraproject.org/pipermail/devel/2007-July/105570.html https://aur.archlinux.org/packages/openssh-hpn/ https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/162253 Those bug reports are good arguments to have HPN as a feature in openssh. And most of them now many years old and still open. That's an argument to rethink if HPN should be activated quietly. According to last problem with openssl and +tls-heartbeat I'd like to see less features enabled by default. USE=-* isn't the best solution;) Marcin
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
On Tue, Apr 8, 2014 at 2:34 PM, Marcin Mirosław mar...@mejor.pl wrote: According to last problem with openssl and +tls-heartbeat I'd like to see less features enabled by default. USE=-* isn't the best solution;) A bug in an upstream-supported feature is quite different from a patched-in feature that upstream doesn't support.
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
On Sat, Mar 29, 2014 at 11:31 PM, hasufell hasuf...@gentoo.org wrote: We have had those debates whether the + should follow upstream decisions and such. Short answer: the maintainer decides. There is no consistency for this and there will never be. That may be true, I still think it behooves us to be particularly careful about including non-upstream patches on extremely sensitive software such as openssh, so I don't think saying maintainer decides is a good enough response to Toralf's questions. On Mon, Mar 31, 2014 at 1:15 AM, Duncan 1i5t5.dun...@cox.net wrote: Gentoo has never pretended to be a hand-holding distribution (tho it seems to be getting rather more so these days); gentooers ignoring that recommendation... get to keep the pieces. =:^) While I can see where you're coming from, that doesn't mean the Gentoo developers shouldn't provide sensible defaults. If we load up all Gentoo systems with an insecure OpenSSH by default, saying ah, you should have fixed the configuration is just a cop-out. So, I'm interested... How widely used is the HPN patch set? Are there any good indications that it doesn't negatively impact security? Cheers, Dirkjan
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
On 31/03/14 03:36 AM, Dirkjan Ochtman wrote: So, I'm interested... How widely used is the HPN patch set? Are there any good indications that it doesn't negatively impact security? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=292932 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693424 https://lists.fedoraproject.org/pipermail/devel/2007-July/105570.html https://aur.archlinux.org/packages/openssh-hpn/ https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/162253 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/31/2014 01:15 PM, Alex Xu wrote: On 31/03/14 03:36 AM, Dirkjan Ochtman wrote: So, I'm interested... How widely used is the HPN patch set? Are there any good indications that it doesn't negatively impact security? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=292932 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693424 https://lists.fedoraproject.org/pipermail/devel/2007-July/105570.html https://aur.archlinux.org/packages/openssh-hpn/ https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/162253 Those bug reports are good arguments to have HPN as a feature in openssh. And most of them now many years old and still open. That's an argument to rethink if HPN should be activated quietly. - -- MfG/Sincerely Toralf Förster pgp finger print:1A37 6F99 4A9D 026F 13E2 4DCF C4EA CDDE 0076 E94E -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlM5p3QACgkQxOrN3gB26U6MqAD/RYVZv8On17mFPrVW324H7DxT pkhSnIOCr/WEn1OaLaQA/3F4zjXdCvV0i7R56KeVunef/Wb7o68yHi9EBmKnfrZn =NdCj -END PGP SIGNATURE-
[gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 WRT to but 504616 I'd like to address my questions made in https://bugs.gentoo.org/show_bug.cgi?id=504616#c6 to this list again : Since the Debian debakel with fixing an uninitialized memeory I'm very skeptical to distribution specific corrections which are not included upstream. At least I'm wondering if the USE flag hpn should be enabled by the user explicitely - currently it is in IUSE already. - -- MfG/Sincerely Toralf Förster pgp finger print:1A37 6F99 4A9D 026F 13E2 4DCF C4EA CDDE 0076 E94E -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlM2m1kACgkQxOrN3gB26U4q+AD9EDAhx1aPXxu7kaHA80Dskyol 5ha1qFBG1b9Hx2Lcp/MBAI1T6VEjok7qXbOw50f4EFmGMJOOhsO+fcNcHq+a3hYY =/RPN -END PGP SIGNATURE-
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
On 29/03/14 06:07 AM, Toralf Förster wrote: WRT to but 504616 I'd like to address my questions made in https://bugs.gentoo.org/show_bug.cgi?id=504616#c6 to this list again : Since the Debian debakel with fixing an uninitialized memeory I'm very skeptical to distribution specific corrections which are not included upstream. At least I'm wondering if the USE flag hpn should be enabled by the user explicitely - currently it is in IUSE already. 1. Please use a spelling checker. 2. IUSE doesn't mean what you think it means. http://devmanual.gentoo.org/quickstart/#ebuild-with-use-flags signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
On Sat, 29 Mar 2014 07:15:14 -0400 Alex Xu alex_y...@yahoo.ca wrote: On 29/03/14 06:07 AM, Toralf Förster wrote: WRT to but 504616 I'd like to address my questions made in https://bugs.gentoo.org/show_bug.cgi?id=504616#c6 to this list again : Since the Debian debakel with fixing an uninitialized memeory I'm very skeptical to distribution specific corrections which are not included upstream. At least I'm wondering if the USE flag hpn should be enabled by the user explicitely - currently it is in IUSE already. 1. Please use a spelling checker. 2. IUSE doesn't mean what you think it means. http://devmanual.gentoo.org/quickstart/#ebuild-with-use-flags Toralf wants to indicate that it is implicitly enabled by default (by the '+' character); and thus, he would like to see it become disabled by default, such that the user can explicitly enable it. -- With kind regards, Tom Wijsman (TomWij) Gentoo Developer E-mail address : tom...@gentoo.org GPG Public Key : 6D34E57D GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D signature.asc Description: PGP signature
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/29/2014 08:12 PM, Tom Wijsman wrote: On Sat, 29 Mar 2014 07:15:14 -0400 Alex Xu alex_y...@yahoo.ca wrote: On 29/03/14 06:07 AM, Toralf Förster wrote: WRT to but 504616 I'd like to address my questions made in https://bugs.gentoo.org/show_bug.cgi?id=504616#c6 to this list again : Since the Debian debakel with fixing an uninitialized memeory I'm very skeptical to distribution specific corrections which are not included upstream. At least I'm wondering if the USE flag hpn should be enabled by the user explicitely - currently it is in IUSE already. 1. Please use a spelling checker. 2. IUSE doesn't mean what you think it means. http://devmanual.gentoo.org/quickstart/#ebuild-with-use-flags Toralf wants to indicate that it is implicitly enabled by default (by the '+' character); and thus, he would like to see it become disabled by default, such that the user can explicitly enable it. Yes - that's what I want. At least an einfo should be added to the package IMO telling the user that HPN is enabled by default. - -- MfG/Sincerely Toralf Förster pgp finger print:1A37 6F99 4A9D 026F 13E2 4DCF C4EA CDDE 0076 E94E -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF0EAREIAAYFAlM3RjsACgkQxOrN3gB26U5MqQD+Lvo4RUNmEE4YombGSzgFqI4C gOF7B1hD1j0S4/LjN5YA9ixAma2C12HUjBAnHndlR2SSBpDFwt/E6s4EWOlp2KE= =fhiX -END PGP SIGNATURE-
Re: [gentoo-dev] Why is IUSE=hpn mandatory in openssh ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Toralf Förster: On 03/29/2014 08:12 PM, Tom Wijsman wrote: On Sat, 29 Mar 2014 07:15:14 -0400 Alex Xu alex_y...@yahoo.ca wrote: On 29/03/14 06:07 AM, Toralf Förster wrote: WRT to but 504616 I'd like to address my questions made in https://bugs.gentoo.org/show_bug.cgi?id=504616#c6 to this list again : Since the Debian debakel with fixing an uninitialized memeory I'm very skeptical to distribution specific corrections which are not included upstream. At least I'm wondering if the USE flag hpn should be enabled by the user explicitely - currently it is in IUSE already. 1. Please use a spelling checker. 2. IUSE doesn't mean what you think it means. http://devmanual.gentoo.org/quickstart/#ebuild-with-use-flags Toralf wants to indicate that it is implicitly enabled by default (by the '+' character); and thus, he would like to see it become disabled by default, such that the user can explicitly enable it. Yes - that's what I want. We have had those debates whether the + should follow upstream decisions and such. Short answer: the maintainer decides. There is no consistency for this and there will never be. At least an einfo should be added to the package IMO telling the user that HPN is enabled by default. No, that's not the right approach. There are tools you can use to check what flags are enabled. Use 'eix' and 'equery' for example. -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJTN0nSXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMDlCNDQ4NjEyNDI4NjA5REVEMDI3MzIy MjBDRDFDNUJERUVEMDIwAAoJECIM0cW97tAg/IUP/0TXUmCfrzFupp1QIyVYbhR7 0bKE3b1/9BE40nCHPTbnLGUQs5kOa8PtINF9RkfZZuJ/yHwhdN6dCu5MqMIK2avv HfQVqVQ7bNpe3M+Ljkc/UScVLecgab7hmFk/R/OTDArsCw5Z4BIFmqDu2lYN62NW 0iWm7fV/tbPqb+f91fg2/DdTuRTptiVnjPd3n8RnxUEfzdHfLzFP4D893C4zY6vU NtGP1erM61pzbvcVBFoecbgtve6X/VkP7Ctp2QE+/zES6/xkVlwASuvNrjfMog+Y b5tis/R+LUrwz6ngmPiu/a1mlh4oB0gVMJZbCgk1YfDGVPNSrhg5opVoAyN9uAaF QOgPmgPP/9ntYw4G3pPznb3GDXXnrZrLMFXwDFTRia69qfPNBO/+DL1eB0t//E16 RAJbambJqmqKtSZZZCcxaG/3QQmWGrC1hbkIej7FGAORDsWG3cV7me2wIYm/AYeH VfdciY95SxbD0WsvZfn8gCi+t8us6JAOKo0j1INsMywZ5ui5khNBdkW7+vunjkd5 z2m57bWDek7zoNPY5LdUYB2NNVjpaVzKwaeP08xIMKW9eR+rn5+JFZrZ5mB7HY1H 4/MnRZLdpIzKE0WpmfrEyGAGLEkhCwxAVZAqWtwv+W4lH0CxdBuAqlT9m9ZPtdSD lk08Oa5adjHBXDCflCUx =GVHS -END PGP SIGNATURE-
