DEP-3 tagging of GSSAPI patches; split old-gssapi.patch more appropriately

author: Colin Watson <cjwatson@debian.org> 2010-02-27 18:08:33 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-02-27 18:08:33 +0000
commit: 56276d29ea829cd4c92cd881b496388d93c23dee (patch)
tree: 29ed53c0e3740b2fc2c138cb5b2a145412564b3b /debian/patches/gssapi.patch
parent: 8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index a60a8b4e1..6550ba60b 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,3 +1,20 @@
+Description: GSSAPI key exchange support
+ This patch has been rejected upstream: "None of the OpenSSH developers are
+ in favour of adding this, and this situation has not changed for several
+ years.  This is not a slight on Simon's patch, which is of fine quality,
+ but just that a) we don't trust GSSAPI implementations that much and b) we
+ don't like adding new KEX since they are pre-auth attack surface.  This one
+ is particularly scary, since it requires hooks out to typically root-owned
+ system resources."
+ .
+ However, quite a lot of people rely on this in Debian, and it's better to
+ have it merged into the main openssh package rather than having separate
+ -krb5 packages (as we used to have).  It seems to have a generally good
+ security history.
+Author: Simon Wilkinson <simon@sxw.org.uk>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
+Last-Updated: 2010-02-27
 Index: b/ChangeLog.gssapi
 ===================================================================
 --- /dev/null
author	Colin Watson <cjwatson@debian.org>	2010-02-27 18:08:33 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-02-27 18:08:33 +0000
commit	56276d29ea829cd4c92cd881b496388d93c23dee (patch)
tree	29ed53c0e3740b2fc2c138cb5b2a145412564b3b /debian/patches/gssapi.patch
parent	8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 (diff)

diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index a60a8b4e1..6550ba60b 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch
@@ -1,3 +1,20 @@
		1	Description: GSSAPI key exchange support
		2	This patch has been rejected upstream: "None of the OpenSSH developers are
		3	in favour of adding this, and this situation has not changed for several
		4	years. This is not a slight on Simon's patch, which is of fine quality,
		5	but just that a) we don't trust GSSAPI implementations that much and b) we
		6	don't like adding new KEX since they are pre-auth attack surface. This one
		7	is particularly scary, since it requires hooks out to typically root-owned
		8	system resources."
		9	.
		10	However, quite a lot of people rely on this in Debian, and it's better to
		11	have it merged into the main openssh package rather than having separate
		12	-krb5 packages (as we used to have). It seems to have a generally good
		13	security history.
		14	Author: Simon Wilkinson <simon@sxw.org.uk>
		15	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
		16	Last-Updated: 2010-02-27
		17
1	Index: b/ChangeLog.gssapi	18	Index: b/ChangeLog.gssapi
2	===================================================================	19	===================================================================
3	--- /dev/null	20	--- /dev/null