freebsd security - Sep 2016 - Heimdal in base

Benjamin Kaduk <kaduk at MIT.EDU> writes:
> Things seem to have slowed down a lot since the lead Heimdal developer
> got hired for Apple.  [...]  MIT employs developers whose job
> descriptions include being the krb5 release manager [...]  Heimdal has
> changed plans to a 1.7 release [...] and since the developers in
> question are being paid to work on other things, there is no real
> timeline for the release.
Given this state of affairs, it might not be unreasonable to consider
switching back for 11.  There should be enough time, provided our
Kerberos maintainers have some spare cycles.

DES
-- 
Dag-Erling Sm?rgrav - des at des.no

Hi,

Please forgive my ignorance but what's the reason FreeBSD ships
OpenSSH patched with HPN by default? Besides my passion for
security, I've been working in the HPC sector for a while and
benchmarked the patch for a customer about 1.5 years ago. The
CTR-multi threading patch is actually *slower* than upstream OpenSSH
with AES in CTR mode. GCM being, of course, the fastest mode on
AESNI plattforms.

The NULL mode is a security concern as some have noted, I can only
imagine that the window-scaling patch is of such importance?

Thanks,
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20151124/44b72bb4/attachment.bin>

(was Re: OpenSSH HPN)

[See
https://lists.freebsd.org/pipermail/freebsd-security/2015-November/008747.html
for the bits that Dag-Erling skipped]

On Fri, 13 Nov 2015, Dag-Erling Sm?rgrav wrote:
> Benjamin Kaduk <kaduk at MIT.EDU> writes:
> > Things seem to have slowed down a lot since the lead Heimdal developer
> > got hired for Apple.  [...]  MIT employs developers whose job
> > descriptions include being the krb5 release manager [...]  Heimdal has
> > changed plans to a 1.7 release [...] and since the developers in
> > question are being paid to work on other things, there is no real
> > timeline for the release.
>
> Given this state of affairs, it might not be unreasonable to consider
> switching back for 11.  There should be enough time, provided our
> Kerberos maintainers have some spare cycles.
Well, it's definitely too late for 11, now.

But, Debian is preparing to remove their heimdal package entirely,
imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728

I also can't find an archive of heimdal-discuss at sics.se that still works
(now that gmane is gone), so I'll quote the relevant message from there,
below.

Maybe we should consider dropping heimdal for 12.

-Ben

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Date: Wed, 14 Sep 2016 14:58:27 -0400
From: Andrew Bartlett <abartlet at samba.org>
To: heimdal-discuss at sics.se
Subject: Heimdal to be removed from Debian shortly

FYI:
I'm sorry to say that per:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834654
and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728

Heimdal will shortly be removed from Debian.
It is the view of those
of us involved that inclusion of sensitive security software in the
next stable release of Debian needs the normal pattern of maintained
upstream releases, not just a git tree to take snapshots from.

It is also being eased out of Samba, we will make further decisions
once we get a build against MIT krb5 working.

Sorry,

Andrew Bartlett
--
Andrew Bartlett                         http://samba.org/~abartlet/
Authentication Developer, Samba Team    http://samba.orgSamba Developer,
Catalyst IT            http://catalyst.net.nz/services/samba