From 0b848463a5673dabee2561bd381c679d673d2215 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 9 Jun 2008 11:08:17 +0000
Subject: Add documentation on removing openssh-blacklist locally (see
 #484269).

---
 debian/README.compromised-keys | 27 +++++++++++++++++++++++++++
 debian/changelog               |  1 +
 2 files changed, 28 insertions(+)

diff --git a/debian/README.compromised-keys b/debian/README.compromised-keys
index bfffc154a..7a9cb7657 100644
--- a/debian/README.compromised-keys
+++ b/debian/README.compromised-keys
@@ -138,3 +138,30 @@ OpenSSL:
 
 3. If certificates have been generated for use on other systems, they must be
    found and replaced as well.
+
+== Removing openssh-blacklist ==
+
+For the moment, the openssh-server package depends on openssh-blacklist, in
+order that the blacklist is deployed to the maximum possible number of
+systems to reduce the potential spread of worms exploiting this
+vulnerability. We acknowledge that this may be inconvenient for some small
+systems, but nevertheless feel that this was the best course of action.
+
+If you absolutely need to remove the blacklist from your system, then you
+can run the following commands to substitute a fake package for
+openssh-blacklist:
+
+  sudo apt-get install equivs
+  equivs-control openssh-blacklist.ctl
+  sed -i 's/^Package:.*/Package: openssh-blacklist/' openssh-blacklist.ctl
+  sed -i 's/^# Version:.*/Version: 9:1.0/' openssh-blacklist.ctl
+  equivs-build openssh-blacklist.ctl
+  sudo dpkg -i openssh-blacklist_1.0_all.deb
+
+Be warned: this circumvents a security measure for the sake of disk space.
+You should only do this if you have no other option, and if you are certain
+that no compromised keys will ever be generated on or copied onto this
+system.
+
+Once a sufficient amount of time and number of releases have passed, the
+openssh-blacklist package will be phased out.
diff --git a/debian/changelog b/debian/changelog
index 3c80768b5..9e4ec47bf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,7 @@ openssh (1:4.7p1-13) UNRELEASED; urgency=low
   * Drop openssh-client-udeb isinstallable hack, as main-menu (>= 1.26) now
     takes care of that (thanks, Frans Pop; closes: #484404).
   * Update DEB_BUILD_OPTIONS parsing code from policy 3.8.0.
+  * Add documentation on removing openssh-blacklist locally (see #484269).
 
  -- Colin Watson <cjwatson@debian.org>  Fri, 30 May 2008 23:26:25 +0100
 
-- 
cgit v1.2.3