Hi Colin, Colin Watson wrote on Mon, Oct 16, 2017 at 10:26:03AM +0100: > Which leads me back to my previous question: what conversations have > there been between the OpenSSH and OpenSSL developers about this > problem? Has OpenSSL upstream actually been told directly by OpenSSH > that this is a problem, or are they only hearing about this from users > trying to compile OpenSSH against 1.1? I've only found evidence of the > latter in public mailing list posts so far. I'm not completely sure, i don't know all the private communications either. But note two things: First, communication problems in cases where OpenSSL was the interested party and OpenBSD developers were trying to help played a part (even though not the only part) in the decision of forking LibreSSL. There had been bug reports from OpenBSD to OpenSSL that went nowhere for considerable times. Similarly, while i committed little code to OpenSSH (mainly in one small corner, UTF-8 safety) and no code to LibreSSL, i have done substantial work on LibreSSL documentation, and much of that could also be useful for OpenSSL, as an OpenSSL developer privately confirmed to me. I spent a bit of time (some hours) preparing a set of patches (not against their code, but applying conflicting documentation patches by hand is certainly easier than applying conflicting code patches) and sent them directly to OpenSSL more than half a year ago. Last time i checked (when doing my latest merge of documentation improvements from OpenSSL to LibreSSL), none of that had been applied yet. In the case at hand, we would be asking them to do substantial work that helps us and that they seem to consider not that important for their own purposes. That is likely to work out even worse than doing some work ourselves that is not really needed for our own purposes and mainly intended to help them. Let's put it this way: As an example, my personal direct communication with OpenSSL members was always polite and friendly, but rarely led to tangible results. Well, maybe there were one or two trivial typo fixes applied some years ago. > (b) our distribution policy is generally that we strenuously avoid > using bundled copies of code. For what it's worth, i actually consider that a good policy in general. The OpenBSD ports tree usually aims for the same goal. Admittedly, in some cases, exceptions are very hard to avoid. For example, at certain times, the porting team couldn't avoid using bundled SQLite in firefox, but so they had to switch back and forth a few times in that respect. > Fedora has the same policy, and so far has opted to ship a ~3600-line > patch to OpenSSH to use the 1.1 API. Frankly, i would feel uncomfortable using OpenSSH on Fedora. > If my only other option is to use LibreSSL, then that will mean > packaging LibreSSL separately, and https://bugs.debian.org/754513 > seems to have petered out a couple of years ago, Reading that thread, my impression is that the main reason is that the question "what is this needed for" was never fully answered. You don't really have to package a library that nothing is using yet. Sure, there were also some technical issues raised, but the thread seems generally constructive to me, even if back then, nobody was in enough of a fix to actually put in the required work. I imagine if you, as the SSH maintainer, spoke up and said: "OpenSSH requires an OpenSSL-1.0 compatible API, so we must have either an OpenSSL-1.0 or a LibreSSL package in Debian" that might carry some weight and may either make people think again about deleting OpenSSL-1.0 or revitalize the thread about LibreSSL. Doesn't Debian have a policy that established APIs supported upstream cannot be deleted while important software still uses them? > I realise that this is not the OpenSSH team's > problem as such, and that as a LibreSSL developer you may well not be > super-sympathetic to this argument; but nevertheless, I don't think this > is a viable option right now for us as a distributor. I completely understand that you are in a difficult situation and that you like none of the options you have: (1) package LibreSSL (2) bundle LibreSSL (3) keep the existing OpenSSL-1.0 package (still supported upstream) Until somebody sufficiently qualified maintains a compat library, *and* LibreSSL gains 1.1-compatible interfaces *and* OpenSSH switches over (three large items lacking volunteers, which consequently seem very unlikely to be completed by the end of the year), these three are the only options i can see. Yours, Ingo _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev