Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

2020-07-27 Thread Joonas Niilola

On 7/26/20 12:57 PM, Ulrich Mueller wrote:
> Even more appropriate would be to enable the flag with an IUSE default.
> The ebuild could still display an ewarn message pointing out the alleged
> security issue.
>
> Ulrich

This'd be nice. A news-worthy update in my opinion regardless.

-- juippis




signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

2020-07-26 Thread Ulrich Mueller
> On Sun, 26 Jul 2020, Rich Freeman wrote:

> Definitely not a "heads up" on the mailing list - that is not an
> appropriate way to communicate anything to users - not even devs are
> required to read this list.

> The two appropriate ways to communicate something like this are
> einfo/ewarn/etc or news.  Never hurts to use news.  Ideally I'd point
> to a substitute, and I'd suggest one myself if I were aware of one...

Even more appropriate would be to enable the flag with an IUSE default.
The ebuild could still display an ewarn message pointing out the alleged
security issue.

Ulrich


signature.asc
Description: PGP signature


Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

2020-07-26 Thread Toralf Förster
On 7/26/20 2:05 AM, Rich Freeman wrote:
> The two appropriate ways to communicate something like this are
> einfo/ewarn/etc or news.  Never hurts to use news.  Ideally I'd point
> to a substitute, and I'd suggest one myself if I were aware of one...

ewarn please, einfo is too weak

-- 
Toralf
PGP 23217DA7 9B888F45



signature.asc
Description: OpenPGP digital signature


Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

2020-07-25 Thread John Helmert III
On Sat, Jul 25, 2020 at 08:05:14PM -0400, Rich Freeman wrote:
> On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard  wrote:
> >
> > This seems like something that needs a news entry, or
> > at least a "heads up" on the mailing list?
> 
> Definitely not a "heads up" on the mailing list - that is not an
> appropriate way to communicate anything to users - not even devs are
> required to read this list.
> 
> The two appropriate ways to communicate something like this are
> einfo/ewarn/etc or news.  Never hurts to use news.  Ideally I'd point
> to a substitute, and I'd suggest one myself if I were aware of one...

Just to have this information here for easy access, this is upstream's
response from that bug's URL [1]. They recommend "rsync or something else":

The scp command is a historical protocol (called rcp) which relies
upon that style of argument passing and encounters expansion
problems. It has proven very difficult to add "security" to the scp
model. All attempts to "detect" and "prevent" anomalous argument
transfers stand a great chance of breaking existing workflows. Yes,
we recognize it the situation sucks. But we don't want to break the
easy patterns people use scp for, until there is a commonplace
replacement. People should use rsync or something else instead if
they are concerned.

[1] https://github.com/cpandya2909/CVE-2020-15778/


signature.asc
Description: PGP signature


Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

2020-07-25 Thread Rich Freeman
On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard  wrote:
>
> This seems like something that needs a news entry, or
> at least a "heads up" on the mailing list?

Definitely not a "heads up" on the mailing list - that is not an
appropriate way to communicate anything to users - not even devs are
required to read this list.

The two appropriate ways to communicate something like this are
einfo/ewarn/etc or news.  Never hurts to use news.  Ideally I'd point
to a substitute, and I'd suggest one myself if I were aware of one...

-- 
Rich