CentOS - Mar 2012 - mismatch in openssh latest rpm available at centos

Hello Group,

The latest rpm in openssh is 5.8, however, the corresponding latest rpm
available in centos 5.7  is only

openssh-4.3p2-72.el5_6.3.x86_64.rpm


and
in 6.0 centos is

openssh-5.3p1-20.el6.x86_64.rpm

I have following questions.

1. I want to start from src.rpm and where can I get the src.rpm for
openssh-5.3p1-20.el6.x86_64.rpm.

2. Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos
without causing any problems.

3. Which of these two rpms will be most compatible with latest openssh rpm
version 5.8.

Please let me know.  It is important for my work.

Any help will be greatly appreciated.

-- 
Thanks

Nagrik

On Wed, Mar 28, 2012 at 9:05 PM, Vinay Nagrik <vnagrik at gmail.com>
wrote:
> Hello Group,
>
> The latest rpm in openssh is 5.8, however, the corresponding latest rpm
> available in centos 5.7 ?is only
>     openssh-4.3p2-72.el5_6.3.x86_64.rpm
> and in 6.0 centos is
>    openssh-5.3p1-20.el6.x86_64.rpm
>
> I have following questions.
> 1. I want to start from src.rpm and where can I get the src.rpm for
> openssh-5.3p1-20.el6.x86_64.rpm.
> 2. Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos
> without causing any problems.
> 3. Which of these two rpms will be most compatible with latest openssh rpm
> version 5.8.
>
> Please let me know. ?It is important for my work.
>
> Any help will be greatly appreciated.
> Nagrik

You may want to read about how Redhat and thus CentOS handles package
versions with regard to security patches, etc...  There is information
here:
    https://access.redhat.com/security/updates/backporting/

As for obtaining the most recent version of openssh for other reasons
(such as features), it is strongly recommended against compiling your
own, and instead installing the package from another publicly accepted
repository, such as EPEL or RepoForge.  Any packages on there have
already been compiled and tested to work with your version of CentOS.
I would avoid installing the C6 version of openssh on C5, and instead
make sure to get the proper package meant for C5.


? Brian Mathis

On 03/28/2012 08:05 PM, Vinay Nagrik wrote:
> Hello Group,
>
> The latest rpm in openssh is 5.8, however, the corresponding latest rpm
> available in centos 5.7  is only
>
> openssh-4.3p2-72.el5_6.3.x86_64.rpm
>
>
> and
> in 6.0 centos is
>
> openssh-5.3p1-20.el6.x86_64.rpm
>
> I have following questions.
>
> 1. I want to start from src.rpm and where can I get the src.rpm for
> openssh-5.3p1-20.el6.x86_64.rpm.
>
> 2. Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos
> without causing any problems.
If you rebuild it, if it rebuilds, and if you rebuild anything that
depends on the old one, then yes.  It may not build without newer
"buildrequires" being met though.  And now, every time there is an
upgrade, you have to remember to get the new one and rebuild again.  You
also have to track any changes of the new "buildrequires" that you had
to build.
>
> 3. Which of these two rpms will be most compatible with latest openssh rpm
> version 5.8.
They are all compatible ... I don't think any is more compatible than
another.
>
> Please let me know.  It is important for my work.
>
> Any help will be greatly appreciated.
>
Unless you are going to look at the CVE website every day for ssh
vulnerabilities and roll in patches or get new code from openssh
directly for every one, then you want to stay with what is in the distro.

Red Hat uses backporting for security issues:

https://access.redhat.com/security/updates/backporting/

If you rebuild a new ssh, you will also have to rebuild any packages
that are built against the old openssh against the new openssh.

If you are concerned about security ... that is the whole purpose of
enterprise linux ... it backports security patches for 10 years while
maintaining consistent APIs/ABIs. 

If you want the latest packages on your machine, then you want Fedora
and not CentOS.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20120329/6dce0ab6/attachment-0004.sig>

Johnny Hughes wrote:
> On 03/28/2012 08:05 PM, Vinay Nagrik wrote:
>>
>> The latest rpm in openssh is 5.8, however, the corresponding latest rpm
>> available in centos 5.7  is only
>> openssh-4.3p2-72.el5_6.3.x86_64.rpm
>> and in 6.0 centos is
>> openssh-5.3p1-20.el6.x86_64.rpm
>>
>> I have following questions.
>>
>> 1. I want to start from src.rpm and where can I get the src.rpm for
>> openssh-5.3p1-20.el6.x86_64.rpm.
>>
>> 2. Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos
>> without causing any problems.
>
> If you rebuild it, if it rebuilds, and if you rebuild anything that
> depends on the old one, then yes.  It may not build without newer
> "buildrequires" being met though.  And now, every time there is
an
> upgrade, you have to remember to get the new one and rebuild again.  You
> also have to track any changes of the new "buildrequires" that
you had
> to build.
>>
>> 3. Which of these two rpms will be most compatible with latest openssh
>> rpm version 5.8.
<snip>
> If you rebuild a new ssh, you will also have to rebuild any packages
> that are built against the old openssh against the new openssh.
>
> If you are concerned about security ... that is the whole purpose of
> enterprise linux ... it backports security patches for 10 years while
> maintaining consistent APIs/ABIs.
>
> If you want the latest packages on your machine, then you want Fedora
> and not CentOS.
Well... I can see it. We had to build a newer package for 5.x, because we
*had* to have PIV-II/pkcs11 support. That's *just* come in with 6.2, to be
able to log in with a smart card. Even so, there's a bug/enhancement (and
my manager has this in w/ Redhat, and it's been escalated) needed, that it
insists on showing the userlist of recent logins.

       mark