OpenSSH 8.9p1 deprecated variants cleanup feedback request

grey artkiver at
Mon Mar 14 22:14:05 UTC 2022


Somewhat recently, I submitted a PR for OpenSSH 8.9p1 to bring it
-current with the release on, and it was merged, and all
seemed well with the world, or at least that port, ever so briefly. ;)

Not long after, via Trac, thetrial (alabay) indicated an error with
the +gsskex variant on OS X El Capitan, which I certainly hadn't
tested with my initial Portfile diff and merged PR. After a bit of
rummaging around for a laptop I could access which still had OS X El
Capitan installed, I determined that while the issue indicated was
reproducible, it had more to do with the +gsskex variant and
attempting to apply a patch for 8.8p1. In other words: the issue is
not constrained to El Capitan, it is instead related to the +gsskex
variant and a patch which no longer applies cleanly to the 8.9p1

However, this is a patch (i.e. GSSAPI/gsskex) which has been rejected
from the upstream OpenSSH project, for over two decades now. The
wording in the patch itself is rather cautionary in nature with some
salient quotes from the OpenSSH developer community as far as why they
rejected it and I pasted that quote as an excerpt in the comments in
my next PR effort, which removed references to the patch, as well as
removed the patch itself from the files subdirectory for the OpenSSH

That PR is here:

Additionally, it appears as if the original author of the patch,
Simon Wilkinson, has also abandoned it, with where it previously resided,
presently redirecting to what appears to be his Lighting and Design
career website?

Looking a little bit more deeply into this, aside from getting some
helpful suggestions from Herby (who also suggested I email this
mailing list, hence this message) I couldn't help but notice that
there are still various patches in the OpenSSH port files subdirectory
related to the no longer extant in the Portfile HPN variant, which
also appears to have been deprecated for quite some time? I know
FreeBSD's port also abandoned their HPN related OpenSSH patches some
years ago as well, though I admit I never paid close attention to that
variant with MacPorts to know its lifecycle.

In other words: the OpenSSH port has been without a maintainer, and
the Portfile and associated files subdirectory seem to have accrued
some bitrot.

While I can presumably amend my last PR or submit another PR with a
bit of additional housekeeping to remove the HPN related files for
example, in addition to my extant minimalist effort to simply
eliminate errors in the +gsskex variant (admittedly, without actually
removing references to it with the variant stanzas entirely from the
Portfile, which is probably a wiser decision along that line of
thought) it seems as if it might be worthwhile to bring some of these
issues to the attention of the larger MacPorts developer community for
perspective and hopefully helpful suggestions?

Maybe it is my nerves talking, but especially given that I do not have
commit access and am not the most facile with GitHub having only had
three PRs merged into MacPorts thus far; I don't feel as if I have a
lot of confidence in my actions as related to git presently (I'm an
older than CVS kind of coder, some newfangled Linuxisms rife tools
don't sit well with me). Moreover, maybe some people really liked the
+gsskex/GSSAPI patch for OpenSSH which is why they had refactored it
for 8.8p1? To me, the gsskex variant kind of screams: "yikes,
plausible attack surface" and like the deprecated HPN patches, it and
its associated references and files are worth jettisoning, but I do
not profess to be an authoritative source for any of that so much as I
am sharing my opinion.

What do others think? Feedback is welcome! I didn't mean to harsh on
Renee in the PR comments either, but Renee was pretty up front about
not actually using the OpenSSH port, so I would mostly appreciate
perspective from individuals who do actually use the OpenSSH port and
have some "skin in the game" as the idiomatic expression goes.

For the life of me, I can't really see much good coming from the
+gsskex/GSSAPI variant, but I also do not presently administer any
Kerberos related infrastructure at the moment (thankfully, if slightly
tangentially, I also do not administer any yp related infrastructure
these days anymore and can blissfully only recall them and their
associated security holes with ypcat abuses as distant early 1990s
memories now).

Thank you in advance for any wisdom you may be able to share on this issue!


p.s. Happy π day!

More information about the macports-dev mailing list