On Sun, Sep 20, 2020 at 09:34:50AM -0700, Kevin Brott wrote:> On 9/19/20 11:02 PM, Damien Miller wrote: > > OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing > > on as many platforms and systems as possible. This is a bugfix release. > > Debian GNU/Linux 10 (buster) > gcc version 8.3.0 (Debian 8.3.0-6) > OpenSSL 1.1.1d? 10 Sep 2019 > > Hang on conch ciphers test - had to ^C the process:This might be https://twistedmatrix.com/trac/ticket/9515, which was fixed in Twisted 19.2.0; Debian 10 has an older version. I forget what the original symptoms of that bug were, but it seems plausible. Try applying this workaround patch? https://salsa.debian.org/ssh-team/openssh/-/blob/debian/1%258.3p1-1/debian/patches/conch-old-privkey-format.patch (I haven't advocated for this to be applied to OpenSSH upstream, since the proper fix was in Twisted.) -- Colin Watson (he/him) [cjwatson at debian.org]
On 9/20/20 9:58 AM, Colin Watson wrote:> On Sun, Sep 20, 2020 at 09:34:50AM -0700, Kevin Brott wrote: >> On 9/19/20 11:02 PM, Damien Miller wrote: >>> OpenSSH 8.4p1 is almost ready for release, so we would appreciate testing >>> on as many platforms and systems as possible. This is a bugfix release. >> Debian GNU/Linux 10 (buster) >> gcc version 8.3.0 (Debian 8.3.0-6) >> OpenSSL 1.1.1d? 10 Sep 2019 >> >> Hang on conch ciphers test - had to ^C the process: > This might be https://twistedmatrix.com/trac/ticket/9515, which was > fixed in Twisted 19.2.0; Debian 10 has an older version. I forget what > the original symptoms of that bug were, but it seems plausible. Try > applying this workaround patch? > > https://salsa.debian.org/ssh-team/openssh/-/blob/debian/1%258.3p1-1/debian/patches/conch-old-privkey-format.patch > > (I haven't advocated for this to be applied to OpenSSH upstream, since > the proper fix was in Twisted.) >Yup, older twisted:? python-twisted? 18.9.0-3.? Applying the workaround patch to openssh-SNAP-20200921.tar.gz and "all tests passed". So what's the best-practice fix here - replace the system install of twisted, install an alternate copy for builds, or patch the configure process to test for the broken twisted version(s) and adjust accordingly? -- # include <stddisclaimer.h> /* Kevin Brott <Kevin.Brott at GMail.com> */
On Mon, Sep 21, 2020 at 12:09:32AM -0700, Kevin Brott wrote:> Yup, older twisted:? python-twisted? 18.9.0-3.? Applying the > workaround patch to openssh-SNAP-20200921.tar.gz and "all tests > passed". > So what's the best-practice fix here - replace the system install of > twisted, install an alternate copy for builds, or patch the configure > process to test for the broken twisted version(s) and adjust > accordingly?My approach for interop testing of the official Debian packaging has been to apply the patch I mentioned until such time as the Debian packaging of Twisted catches up. I don't know if it's worth having extra elaborate stuff in OpenSSH to detect the situation without requiring a patch. I kind of feel that the test failure you encountered was detecting a legitimate interoperability problem so avoiding it permanently wouldn't really be right. -- Colin Watson (he/him) [cjwatson at debian.org]