[MacPorts] #16911: git-core requiring macports' ssh on leopard, openssh security concern
MacPorts
noreply at macports.org
Sat Oct 18 12:28:42 PDT 2008
#16911: git-core requiring macports' ssh on leopard, openssh security concern
--------------------------------+-------------------------------------------
Reporter: bcbarnes at gmail.com | Owner: macports-tickets at lists.macosforge.org
Type: defect | Status: new
Priority: Normal | Milestone: Port Bugs
Component: ports | Version: 1.6.0
Keywords: | Port:
--------------------------------+-------------------------------------------
I recently installed git-core via macports on OS X 10.5.5 (intel).
macports 1.6.0 recently selfupdate'd.
As a dependency, the port openssh was installed. Due to the way the
postflight script sets paths, /opt/local/bin is searched before /usr/bin .
Therefore, ssh and ssh-keygen from the openssh port are used by default
instead of the OS X ssh utilities.
This raises two concerns:
1. Security. If a vulnerability in ssh leads to an intrusion on my local
machine, my company can blame Apple, or Apple can provide security patches
in a timely fashion. Relying on macports for system security is not a
preferred situation.
2. Why was this needed at all? In Tiger or Leopard, ssh is available by
default. The openssh port should not be installed on Leopard if the
normal system ssh may simply be used instead. It takes up disk space for
no reason.
I really, really do not like macports hijacking a system utility related
to security. At the very worst, the openssh port should install its
binaries with names such as ssh-mp (for -macports), similar to how the
gcc42/gcc43 ports install their compilers with a -mp extension. Then
ports which must use the openssh port instead of the system ssh could
reference the renamed executables.
Thanks for reading.
--
Ticket URL: <http://trac.macports.org/ticket/16911>
MacPorts <http://www.macports.org/>
Ports system for Mac OS
More information about the macports-tickets
mailing list