[MacPorts] #16911: git-core requiring macports' ssh on leopard, openssh security concern

Mon Nov 10 09:02:29 PST 2008

#16911: git-core requiring macports' ssh on leopard, openssh security concern
---------------------------------+------------------------------------------
  Reporter:  bcbarnes at gmail.com  |       Owner:  macports-tickets at lists.macosforge.org
      Type:  defect              |      Status:  new                                  
  Priority:  Normal              |   Milestone:  Port Bugs                            
 Component:  ports               |     Version:  1.6.0                                
Resolution:                      |    Keywords:                                       
      Port:                      |  
---------------------------------+------------------------------------------

Comment(by bcbarnes at gmail.com):

 Replying to [comment:11 nox@…]:
 > It's not in MacPorts policy to use a system software instead of the one
 provided by MacPorts itself, the only well-known exception is X11. I don't
 think we should make this exception for openssh too.

 Well, I have no problem with *this port* using openssh installed by
 macports.  To reiterate my original concern, it's that the combination of
 the installed binaries' names and the modification to $PATH by the
 macports' install script results in the system-wide default ssh being the
 macports' ssh, instead of Apple's ssh (again, by a default install of
 macports and git-core).  Perhaps a compromise could be reached by either
 changing the default order in $PATH, or the executable names of the
 openssh binaries (similar to how the gcc4x ports have binary names which
 do not conflict with the system compilers).  The openmpi package also uses
 different binary names by default.  This being said, I'm just a macports
 user, and have no position to tell you all what to do.  I just think this
 is a reasonable solution.  When I use macports and find something not
 working as I would hope, I file a ticket and try to be constructive,
 instead of just complaining somewhere that "macports sucks".  Macports is
 great.  I want to continue using macports when possible for my third-party
 open source software installs, but continuing to subvert the system ssh by
 default would drive me away from macports my git installation.

 Is there a list somewhere which shows what other OS X /usr/bin or /bin
 executables may be trumped by a macports port install?   I imagine
 something like emacs may be in such a list, but I think replacing the
 default emacs is much less scary than replacing ssh :)

 Please consider the point of view of the security-paranoid end-user, busy
 IT admins, and people who do not often upgrade outdated ports when
 finalizing this change.  Thanks for reading.

-- 
Ticket URL: <http://trac.macports.org/ticket/16911#comment:13>
MacPorts <http://www.macports.org/>
Ports system for Mac OS