On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote:> On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Sm?rgrav wrote:
>
>> Bryan Drewery <bdrewery at FreeBSD.org> writes:
>>> Another thing that I did with the port was restore the tcpwrapper
>>> support that upstream removed. Again, if we decide it is not worth
>>> keeping in base I will remove it as default in the port.
>>
>> I want to keep tcpwrapper support - it is another reason why I still
>> haven't upgraded OpenSSH, but to the best of my knowledge, it is
far
>> less intrusive than HPN.
>
> Can you explain what is problem?
> I am see openssh in base and openssh in ports (more recent version)
> with same functionaly patches.
> You talk about trouble to upgrade. What is root?
> openssh in base have different vendor and/or license?
> Or something else?
>
> PS: As I today know, kerberos heimdal is practicaly dead as opensource
> project. Have FreeBSD planed switch to MIT Kerberos?
> I am know about security/krb5.
>
IMHO the problem comes down to time. Patching an upstream project
increases maintenance cost for upgrading it. Every patch adds up. When
you become busy and don't have time to pay attention to every little
change made in a release, hearing 'removed tcpwrappers support' or
'refactored the code <more> for libssh usage' makes it sound like
1 more
thing you must deal with to upgrade that code base and more effort to
validate that your patches are right. We obviously don't want to just
drop in the latest code and throw it out there as broken. SSH is quite
critical and we want to ensure our changes are still right, and that
doing something like adding tcpwrappers back in won't introduce some
security bug that upstream was coy about.
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151111/505d37ee/attachment.bin>