Some of you may have noticed that OpenSSH in base is lagging far behind the upstream code. The main reason for this is the burden of maintaining the HPN patches. They are extensive, very intrusive, and touch parts of the OpenSSH code that change significantly in every release. Since they are not regularly updated, I have to choose between trying to resolve the conflicts myself (hoping I don't break anything) or waiting for them to catch up and then figuring out how to apply the new version. Therefore, I would like to remove the HPN patches from base and refer anyone who really needs them to the openssh-portable port, which has them as a default option. I would also like to remove the NONE cipher patch, which is also available in the port (off by default, just like in base). DES -- Dag-Erling Sm?rgrav - des at des.no
On 10/11/2015 8:42 PM, Dag-Erling Sm?rgrav wrote:> Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). > > DES >I for one, support our new consistent-with-upstream, improved-productivity and lower-risk-for-regressions-in-base overlords. ./koobs
On 10-11-2015 10:42, Dag-Erling Sm?rgrav wrote:> Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base).Hi Des, I know I've installed the ports once to see if, and how I would be able to add more IP-address infor to some of the warnings and errors. And then to get thos errors recognised by tools like sshguard and fail2ban. Only to find out that the code in that area in ports is completely different from what is in base. And submitting "patches" for that, even upstream, would be faily useless. So I understand the trouble you might have in getting other stuff in as well Getting the base version more inline with ports would be a real good thing. I guess you need to manage the fallout that there is going to be from those that expect HPN to be in base, and now suffer preformance issues. --WjW
Hi,> On 10 Nov 2015, at 09:42, Dag-Erling Sm?rgrav <des at des.no> wrote: > > [?] > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base).Can?t argue with that. Is removing HPN going to impact the performance of tunnelled X connexions?> DES > -- > Dag-Erling Sm?rgrav - des at des.no > _______________________________________________ > freebsd-current at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"-- Bob Bishop rb at gid.co.uk
On Tue, Nov 10, 2015 at 10:42:49AM +0100, Dag-Erling Sm?rgrav wrote:> Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base).I am plan to use NONE and HPN for bulk transfer, but don't see performance improvement, in both cases I see only 500Mbit/s.
On 11/10/15 1:42 AM, Dag-Erling Sm?rgrav wrote:> Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base).My current employer is a big proponent of HPN (see http://fasterdata.es.net/data-transfer-tools/scp-and-sftp/). However, I agree that the difficulty of patching to the changing upstream is significant. Frankly, I am quite impressed that you have been able to keep up with it for this long. I would be more than happy if the HPN patches continued to be in the port version and base were able to keep up with the upstream by removing the HPN dependency. There will be some places where we will notice the difference in performance; in those cases we will install the HPN-patched port. michael
Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100:> Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base).My vote is to remove the HPN patches. First, the NONE cipher made more sense back when we didn't have AES-NI widely available, and you were seriously limited by it's performance. Now we have both aes-gcm and chacha-poly which it's performance should be more than acceptable for today's uses (i.e. cipher performance is 2GB/sec+). Second, I did some testing recently due to a thread on -net, and I found no significant (not run statistically though) difference in performance between in HEAD ssh and OpenSSH 7.1p1. I started a wiki page to talk about this: https://wiki.freebsd.org/SSHPerf Feel free to add to the page any more info. There are other apparent issues w/ ssh that keeps it's performance low on high latency links, but I haven't spend the time to figure out what they are, but in my testing HPN did not increase performance to make use of the fat but high latency link. So, if it's not increasing performance and making us fall behind, why bother with the trouble of keeping the patch? If someone is willing to spend the time doing benchmarks, and prove that the HPN patches do make a difference, I'm willing to work with them to figure out why my tests didn't work and change my vote. I also believe that the defaults should be enough, if you have to tune or enable features, then you can install from ports or compile yourself. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
On 11/10/15 1:42 AM, Dag-Erling Sm?rgrav wrote:> Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). > > DES >I had this same problem as well, but have since reworked the HPN patch for ports to be more easily maintained. I've considered offering or just updating the base SSH, but have not since we have random changes in the HPN functionality in base that would be lost. We for some reason decided we were going to maintain our own version and not even upstream the changes to the HPN authors which has contributed to this situation. Anyway, reverting the base SSH to stock, and then importing all patches from the ports default version should result in the same base patches applied and a working HPN. I've kept the port version up-to-date with all base changes applied as well (short of HPN customizations we made that are not worth keeping) A lot of people pressured me to remove HPN as default from the port (during times that I was too busy to rework the patch for the latest OpenSSH) but I persisted in keeping it due to it being enabled in base. If we really remove it from base I may disable it in the port as well as a default. I personally find the feature worth keeping. Seeing recent benchmarks would be a good idea, but the overall patch is quite simple and non-complex. It's now split up with defines for each feature so they can be disabled at compile time. See /usr/ports/security/openssh-portable/files/extra-patch-hpn. There is HPN_ENABLED and NONE_CIPHER_ENABLED. It's really quite a simple and small patch after removing all of the bogus changes (which I did upstream, and did apply to the base HPN as well) and the logging changes (which were far too intrusive to maintain). -- Regards, Bryan Drewery
On 11/10/15 5:42 PM, Dag-Erling Sm?rgrav wrote:> Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). > > DESThe inclusion of the HPN patches meant that we could drop a custom unsupported HPN enabled ssh from our build process. It makes ssh actually usable. Without it we need to keep integrating HPN ever time ssh is upgraded. We were SO HAPPY when it came in by default.
On 11/10/2015 1:42 AM, Dag-Erling Sm?rgrav wrote:> I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base).Fun fact, it's been broken in the port for several months with no complaints. It was just reported and fixed upstream in the last day and I wrote in a similar fix in the port. That speaks a lot about its usage in the port currently. -- Regards, Bryan Drewery -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151111/60440cfe/attachment.bin>