On 11/10/15 1:42 AM, Dag-Erling Sm?rgrav wrote:> Some of you may have noticed that OpenSSH in base is lagging far behind > the upstream code. > > The main reason for this is the burden of maintaining the HPN patches. > They are extensive, very intrusive, and touch parts of the OpenSSH code > that change significantly in every release. Since they are not > regularly updated, I have to choose between trying to resolve the > conflicts myself (hoping I don't break anything) or waiting for them to > catch up and then figuring out how to apply the new version. > > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). > > DES >I had this same problem as well, but have since reworked the HPN patch for ports to be more easily maintained. I've considered offering or just updating the base SSH, but have not since we have random changes in the HPN functionality in base that would be lost. We for some reason decided we were going to maintain our own version and not even upstream the changes to the HPN authors which has contributed to this situation. Anyway, reverting the base SSH to stock, and then importing all patches from the ports default version should result in the same base patches applied and a working HPN. I've kept the port version up-to-date with all base changes applied as well (short of HPN customizations we made that are not worth keeping) A lot of people pressured me to remove HPN as default from the port (during times that I was too busy to rework the patch for the latest OpenSSH) but I persisted in keeping it due to it being enabled in base. If we really remove it from base I may disable it in the port as well as a default. I personally find the feature worth keeping. Seeing recent benchmarks would be a good idea, but the overall patch is quite simple and non-complex. It's now split up with defines for each feature so they can be disabled at compile time. See /usr/ports/security/openssh-portable/files/extra-patch-hpn. There is HPN_ENABLED and NONE_CIPHER_ENABLED. It's really quite a simple and small patch after removing all of the bogus changes (which I did upstream, and did apply to the base HPN as well) and the logging changes (which were far too intrusive to maintain). -- Regards, Bryan Drewery
On 11/10/15 4:40 PM, Bryan Drewery wrote:> Anyway, reverting the base SSH to stock, and then importing all patches > from the ports default version should result in the same base patches > applied and a working HPN.Actually I am missing the client-side VersionAddendum support (ssh.c). I only have server-side (sshd.c). This is just due to lack of motivation to import the changes. -- Regards, Bryan Drewery
On Tue, Nov 10, 2015 at 04:40:42PM -0800, Bryan Drewery wrote:> On 11/10/15 1:42 AM, Dag-Erling Sm??rgrav wrote: > > Some of you may have noticed that OpenSSH in base is lagging far behind > > the upstream code. > > > > The main reason for this is the burden of maintaining the HPN patches. > > They are extensive, very intrusive, and touch parts of the OpenSSH code > > that change significantly in every release. Since they are not > > regularly updated, I have to choose between trying to resolve the > > conflicts myself (hoping I don't break anything) or waiting for them to > > catch up and then figuring out how to apply the new version. > > > > Therefore, I would like to remove the HPN patches from base and refer > > anyone who really needs them to the openssh-portable port, which has > > them as a default option. I would also like to remove the NONE cipher > > patch, which is also available in the port (off by default, just like in > > base). > > I had this same problem as well, but have since reworked the HPN patch > for ports to be more easily maintained. I've considered offering or > just updating the base SSH, but have not since we have random changes in > the HPN functionality in base that would be lost. We for some reason > decided we were going to maintain our own version and not even upstream > the changes to the HPN authors which has contributed to this situation.We had ever intention of upstreaming our cleaned up HPN patches and some interest from OpenSSH devs to take the window scaling portion of the patch upstream, but other things intruded and we never found time to complete that work. I think both the window scaling and NONE cipher changes are useful, but do not have time to do anything with them. I'm fine with them being removed from base and replaced or just dropped if they are in the way of progress. -- Brooks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151111/6716634b/attachment.bin>