[MacPorts] #64748: update OpenSSH to 8.9p1

Tue Mar 8 21:24:41 UTC 2022

#64748: update OpenSSH to 8.9p1
-----------------------+--------------------
  Reporter:  artkiver  |      Owner:  (none)
      Type:  update    |     Status:  new
  Priority:  Normal    |  Milestone:
 Component:  ports     |    Version:
Resolution:            |   Keywords:
      Port:  openssh   |
-----------------------+--------------------

Comment (by artkiver):

 Hi thetrial/ (alabay) I am uncertain if git rm in the PR removes the patch
 for previous versions? If so, then that seems unwise, but it is my guess
 that if following instructions such as
 https://trac.macports.org/wiki/howto/InstallingOlderPort that since it
 specifies checking out a specific commit, that presumably the 8.8p1 and
 patch would be made available for users who may still wish to utilize that
 GSSAPI/gsskex patch with 8.8p1 instead of using 8.9p1?

 Alas, I am probably not the right person to attempt to refactor the
 GSSAPI/gsskex patch at this moment. While I have certainly used OpenSSH
 with things such as DuoSec tokens, OATH-TOTP (using Google Authenticator
 tokens), yubico tokens (e.g. the yubico-pam MacPort) and even RSA SecurID
 tokens (via lib-pam-radius-auth some years ago) and I think Bob Beck's
 work with utilizing kerberos and OpenBSD for ethernet authentication to
 provide something not entirely dissimilar to 802.1X port level
 authentication using libre/free open source software (I think he may have
 even later iterated that to use authpf?) as cited here:
 https://cvs.afresh1.com/~andrew/o/events.html#lisa99 I personally, do not
 have any GSSAPI infrastructure against which I can test even the previous
 version of the patch.

 Moreover, based upon the, IMHO, rather strong cautionary language of why
 the upstream OpenSSH project, did not merge the https://github.com
 /openssh-gsskex patches, as well as the fact that they themselves do not
 appear to have updated their codebase in several months, as well as my
 general tendency to reduce dependencies and attack surfaces and thus my
 own personal choice in using the OpenSSH port is to -kerberos5 -gsskex
 -authx variants for example, I am probably not really of the general
 mindset even think that refactoring the previous patch for the current
 version of OpenSSH is a wise idea without a lot more convincing, and given
 that my interest in updating the port was predominantly to keep it in
 alignment with the openssh.com current release, and I am merely a
 volunteer without commit access, I would encourage you to seek out other
 guidance since I doubt I will be able to be of much additional assistance
 given my present circumstances.

 If you want to see this patch updated, I would suggest maybe reaching out
 to individuals who did work on previous iterations might be a better
 approach, such as found in https://trac.macports.org/ticket/27250 or
 https://trac.macports.org/ticket/60959 ?

 I apologize in advance if that is not a particularly helpful answer, but
 it is the best I can offer at this moment.

 Replying to [comment:14 thetrial]:
 > Replying to [comment:11 artkiver]:
 >
 > > {{{
 > >  git rm openssh-8.8p1-gsskex.patch
 > > }}}
 > >
 > > Under the files subdirectory since that patch should not be needed for
 8.9p1.
 >
 > Is it shure this patch isn’t needed anymore? Of course one can delete
 the corresponding line in the portfile – but what is the consequence of
 that patch not being implemented? Why not simply renaming the patch file?
 Is the content of the patch file irrelevant now?
 >

-- 
Ticket URL: <https://trac.macports.org/ticket/64748#comment:16>
MacPorts <https://www.macports.org/>
Ports system for macOS