[Discuss] [Gt-eos] GSI-OpenSSH Packages for Ubuntu

Frank Scheiner scheiner at hlrs.de
Thu Jul 4 14:52:20 CEST 2019 

On 7/4/19 11:57, Mischa Salle wrote:
> On Thu, Jul 04, 2019 at 09:07:45AM +0200, Frank Scheiner wrote:
>> Debian uses different versions of OpenSSH in different versions of Debian:
>>
>>
>> * Jessie (oldstable) - OpenSSH 6.7p1
>> * Stretch (stable) - OpenSSH 7.4p1
>> * Sid (unstable) - OpenSSH 7.9p1 => will also be in Buster (testing)
>>
>> ...taken from [1].
>>
>> [1]: https://packages.debian.org/search?suite=all&searchon=names&keywords=openssh-server
>>
>> I don't expect that our current patch set (for 7.5p1) applies to these
>> OpenSSH versions without further modification - but I can be wrong.
>>
>> UPDATE: Ok, I think I understand what you mean. Though I'm not sure if
>> that's so easy:
>>
>> Don't different Debian versions incl. Ubuntu versions link their OpenSSH to
>> different versions of its dependencies? How do we know if our version will
>> always work correctly with the respective dependency on a specific version
>> of Debian or Ubuntu?
> 
> If we build it against a certain Debian version, I don't see a reason
> why it won't work for that Debian version? It's just a different binary
> from the OS-openssh. and we have basically nothing to do with the
> OS openssh.

But maybe with incompatible dependencies in the respective Debian 
versions, isn't that realistic? Well, maybe we just have to try.

>> And what version of OpenSSH should we use, is the one in the GCT tree
>> (7.5p1) still supported? I don't think so, so we would need to get or
>> backport fixes from a 7.5p1 package that's still maintained somewhere.
> That is indeed an issue, but not different from what we do for Fedora.

The situation for Fedora actually is different - as I just noticed:

Because for the Fedora RPM spec files we don't have one for GSI-OpenSSH 
in the GCT tree, it only exists for the different EPEL and Fedora 
releases at Fedora, effectively eliminating the "problem" we currently 
discuss for Debian.

And if there would be a RPM spec for GSI-OpenSSH in the GCT, which 
version would we use? The newest one for EPEL or Fedora or something else?

We can't do the same for Debian at the moment, as Debian didn't accept 
the GSI-OpenSSH package because of the amount of code shared with the 
OpenSSH package - i.e. something that seems to be a non-issue for Fedora.

So why not follow the OpenSSH version in Debian unstable for our Debian 
packaging until it gets accepted in Debian? But even after dropping the 
iSSHD and HPN patches there's still a 500+ KiB patch to forward-port to 
a still supported OpenSSH version. Who can do that?

> I'd suggest to use the newest upstream version for which we have a
> patch-set, and compile that for the different Debians and Ubuntus we
> think are useful.

We have:

* one "full" patch set for 7.5p1 for the GCT and the Debian packaging in 
the GCT - but 7.5p1 is no longer supported upstream and I also don't see 
it used by Debian ([1]), Ubuntu ([2]), CentOS 6 ([3]) and 7 ([4]) (dito 
for SL 6 and 7), Fedora 29 ([5]) and 30 ([6]) or SUSE ([7]) - though I 
don't know what's available for SLES 12 and 15

[1]: 
https://packages.debian.org/search?suite=all&searchon=names&keywords=openssh-server

[2]: 
https://packages.ubuntu.com/search?suite=all&searchon=names&keywords=openssh-server

[3]: http://mirror.centos.org/centos/6/os/x86_64/Packages/

[4]: http://mirror.centos.org/centos/7/os/x86_64/Packages/

[5]: 
https://dl.fedoraproject.org/pub/fedora/linux/releases/29/Everything/x86_64/os/Packages/o/

[6]: 
https://dl.fedoraproject.org/pub/fedora/linux/releases/30/Everything/x86_64/os/Packages/o/

[7]: https://software.opensuse.org/package/openssh

* most likely the same for all older OpenSSH versions which could allow 
us to pick a - though older - OpenSSH version that is still supported by 
a OS community or vendor as basis

* one patch set (don't know the exact extent) for 7.6p1 from Eisaku 
Sakane (see [gct issue #72]) - this version is also used in Ubuntu 18.04 
so will be supported by Canonical until end of April 2023

[gct issue #72]: https://github.com/gridcf/gct/issues/72

* GSI-only (@Mattias: Is that correct?) patch sets for EPEL and Fedora 
versions up to the latest upstream version of OpenSSH.

Cheers,
Frank

-- 
Frank Scheiner

High Performance Computing Center Stuttgart (HLRS)
Department Project User Management & Accounting

Email: scheiner at hlrs.de
Phone: +49 711 685 68039

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2293 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20190704/ec2d52c0/attachment.p7s>

More information about the discuss mailing list