[MacPorts] #16911: git-core requiring macports' ssh on leopard, openssh security concern

Sat Oct 18 19:59:16 PDT 2008

#16911: git-core requiring macports' ssh on leopard, openssh security concern
---------------------------------+------------------------------------------
  Reporter:  bcbarnes at gmail.com  |       Owner:  macports-tickets at lists.macosforge.org
      Type:  defect              |      Status:  new                                  
  Priority:  Normal              |   Milestone:  Port Bugs                            
 Component:  ports               |     Version:  1.6.0                                
Resolution:                      |    Keywords:                                       
      Port:                      |  
---------------------------------+------------------------------------------

Comment(by blb at macports.org):

 Replying to [comment:4 bcbarnes@…]:
 > Well, if you google for openssh client vulnerabilities, there are
 several thousand links to sort through, but here is a recent example:
 > http://www.ubuntu.com/usn/usn-612-2
 > the famous RNG problem with debian and ubuntu openssh.  That's
 applicable here because if a similar problem existed for macports' ssh,
 well, the first thing I did after installing git-core was run ssh-keygen,
 which was run by the macports binary by default.
 >

 Note that MacPorts doesn't think we can do better than the original
 authors of software, so there won't be any functionality-based patches in
 MacPorts like what Debian did.  The vast majority of patches applied are
 to get it either to work with MacPorts' prefix and to build in the first
 place.  openssh is in fact one that has a few more patches, but these are
 two-fold: one is a "high-performance" patch which comes from psc.edu and
 only if you specifically select it with the +hpn variant; the other is a
 patch to get ssh to work better with Apple's launchd/DISPLAY
 functionality, and this patch comes from Apple.

 > There are other older examples of ssh client problems with X11, ssh-
 agent, and other issues.  And who knows what lies in the future?  The
 point is, a security-critical utility is being overrode by macports
 without warning, or need.  If macports disappeared one day, I would have
 degraded security, thinking that OS X patches of ssh would be helping me,
 when in fact they would not.  Think about the average user who doesn't
 know to check their path or the trac...

 Very true about the future, you never know with software, but this applies
 regardless of your source; MacPorts is usually quite fast in updating
 ports to the latest version (popular ports are updated in hours or days
 when the new version is available upstream), so security issues fixed
 upstream are fixed here quickly.

-- 
Ticket URL: <http://trac.macports.org/ticket/16911#comment:6>
MacPorts <http://www.macports.org/>
Ports system for Mac OS