Skip to content

openssh: 7.9p1 -> 8.1p1#59806

Merged
edef1c merged 4 commits intoNixOS:stagingfrom
dtzWill:update/openssh-8p1
Oct 19, 2019
Merged

openssh: 7.9p1 -> 8.1p1#59806
edef1c merged 4 commits intoNixOS:stagingfrom
dtzWill:update/openssh-8p1

Conversation

@dtzWill
Copy link
Member

@dtzWill dtzWill commented Apr 18, 2019
edited by edef1c
Loading

Motivation for this change

https://www.openwall.com/lists/oss-security/2019/04/18/1

Sending to staging for anticipated build impact,
please promote to master as needed for security implications.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@GrahamcOfBorg GrahamcOfBorg requested a review from edolstra April 18, 2019 02:49
@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 501-1000 This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. labels Apr 18, 2019
@adisbladis
Copy link
Member

adisbladis commented Apr 18, 2019

I think this warrants a release note.

@FRidh
Copy link
Member

FRidh commented Apr 27, 2019

I agree with @adisbladis . Could you add it @dtzWill ?

FRidh
FRidh suggested changes Apr 27, 2019
View reviewed changes
Copy link
Member

@FRidh FRidh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Release note is needed.

@dtzWill dtzWill force-pushed the update/openssh-8p1 branch from 7466bf3 to 856c5a8 Compare May 21, 2019 08:41
c0bw3b
c0bw3b reviewed May 21, 2019
View reviewed changes
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation labels May 21, 2019
@dtzWill dtzWill force-pushed the update/openssh-8p1 branch from 856c5a8 to e432f1f Compare May 21, 2019 09:23
@dtzWill
Copy link
Member Author

dtzWill commented May 31, 2019

Well the good news is now I kinda maybe know enough doxygen to do this more quickly in the future ;).

Oh, blargh, merge conflict? Gimme a few...

@dtzWill dtzWill force-pushed the update/openssh-8p1 branch from e432f1f to d6e2c68 Compare May 31, 2019 04:11
@aneeshusa
Copy link
Contributor

aneeshusa commented Jun 20, 2019

Thanks for this! I will try to test this in the next few days.
Can you also bump the debian GSSAPI patch? I don't use it myself but I know there are some folks who do. https://salsa.debian.org/ssh-team/openssh/raw/d7e7059a085282da470bd0a4b40b60f01c16806d/debian/patches/gssapi.patch should work.

@dtzWill dtzWill force-pushed the update/openssh-8p1 branch from d6e2c68 to 07dd9a6 Compare August 22, 2019 18:59
@dtzWill dtzWill mentioned this pull request Aug 22, 2019
Closed
10 tasks
@edef1c edef1c force-pushed the update/openssh-8p1 branch from 07dd9a6 to a5ac7ef Compare August 30, 2019 19:30
@edef1c
Copy link
Member

edef1c commented Aug 31, 2019
edited
Loading

My proposal for hpnSupport, after reading logs of IRC discussion in #nixos-security and talking to @flokli: We set meta.broken = hpnSupport for now, and watch who screams about it breaking. This is easy to revert, and gives a clear signal about our willingness to support the (unmaintained) HPN patches. If that goes well, before releasing 19.09, we remove the hpnSupport argument. The latter should go on the list of tasks to cover before we cut the release.

@flokli
Copy link
Member

flokli commented Aug 31, 2019

@edef1c can you push a new version of this PR implementing the suggested changes, and rebase on latest master?

@edef1c edef1c force-pushed the update/openssh-8p1 branch from a5ac7ef to 9bc69b0 Compare September 4, 2019 21:03
@edef1c edef1c force-pushed the update/openssh-8p1 branch from 9bc69b0 to 86ae935 Compare September 4, 2019 21:04
@edef1c
Copy link
Member

edef1c commented Sep 4, 2019
edited
Loading

@edef1c can you push a new version of this PR implementing the suggested changes, and rebase on latest master?

That turns out to be a poor idea (sorry for the mess), but rebase onto the latest staging instead has happened now, and broken = hpnSupport has been added.

@edef1c edef1c added this to the 19.09 milestone Sep 6, 2019
@edef1c edef1c requested a review from FRidh September 6, 2019 09:13
@flokli
Copy link
Member

flokli commented Oct 12, 2019

@edef1c can you move the release notes to 20.03? LGTM otherwise.

@flokli flokli removed this from the 19.09 milestone Oct 12, 2019
@edef1c edef1c self-assigned this Oct 12, 2019
@edef1c edef1c force-pushed the update/openssh-8p1 branch from b8af2ce to cc3b491 Compare October 12, 2019 17:04
@dtzWill
Copy link
Member Author

dtzWill commented Oct 14, 2019

Thank you for your continued work on this @edef1c . For those following along at home, we should now move to 8.1 (having missed 8.0 while it at current 😢): https://www.openssh.com/txt/release-8.1

Easy update from this, for example: c252900 . Especially if we're not anchored by the hpn version (while having no one interested in maintaining it) ;).

@flokli
Copy link
Member

flokli commented Oct 15, 2019

Let's cherry-pick c252900 on top of that and merge it in.

@edef1c
Copy link
Member

edef1c commented Oct 17, 2019

Do we want to do that off this PR? It'll be a little weird to merge an openssh-8p1 branch (which GitHub puts in the merge commit message) and upgrade us to OpenSSH 8.1p1.

@flokli
Copy link
Member

flokli commented Oct 17, 2019

@edef1c this happens with other longer-running PRs aswell.

dtzWill and others added 3 commits October 19, 2019 12:04
@dtzWill @edef1c
openssh: 7.9p1 -> 8.1p1
9199729 
https://www.openwall.com/lists/oss-security/2019/04/18/1
@dtzWill @edef1c
nixos: add release note for openssh upgrade \o/
6db7c9c
@edef1c
openssh: mark hpnSupport as broken
e6d641d 
We're hoping to deprecate HPN support, given that as far as we
can tell, nobody is using it, and the patches seem rather unmaintained.
@edef1c edef1c force-pushed the update/openssh-8p1 branch 2 times, most recently from 181fac3 to e6d641d Compare October 19, 2019 12:12
@edef1c edef1c changed the title openssh: 7.9p1 -> 8.0p1 openssh: 7.9p1 -> 8.1p1 Oct 19, 2019
@edef1c
openssh: don't let configure override SSH_KEYSIGN
9bfec80 
While 9fe1028 ensured that the
ssh-keysign path is searched for in PATH if not absolute,
it doesn't prevent the configure script from defaulting to an
absolute path in $out/libexec, making the whole effort rather
pointless.
@edef1c
Copy link
Member

edef1c commented Oct 19, 2019
edited
Loading

I'm merging this with the addition of a small fix for a deficiency in 9fe1028, since I'd rather not cause two rebuilds of that magnitude.

@edef1c edef1c merged commit 5b1f864 into NixOS:staging Oct 19, 2019
@ajs124 ajs124 mentioned this pull request Oct 29, 2020
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NeQuissimus NeQuissimus NeQuissimus approved these changes

@edolstra edolstra Awaiting requested review from edolstra

@FRidh FRidh Awaiting requested review from FRidh

+1 more reviewer

@c0bw3b c0bw3b c0bw3b left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@edef1c edef1c

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 501-1000 This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@dtzWill @adisbladis @FRidh @aneeshusa @edef1c @flokli @NeQuissimus @DIzFer @c0bw3b @GrahamcOfBorg