[Bug 535029] Re: Update to OpenSSH 5.4p1

Wed Mar 17 22:47:49 GMT 2010

On Wed, Mar 17, 2010 at 06:17:25PM -0000, Matthew Weaver wrote:
> Colin, what can be done to convince folks that inclusion of this OpenSSH
> release in lucid is the best idea?
> 
> The certificate authentication support is most compelling for large
> institutional installations, the same user base that focuses on LTS
> releases (and have long upgrade cycles).

Thanks for your comments.

I'm excited by this feature too, but as I said, I'm not comfortable with
supporting basically an unknown-quantity .0 release of it for five
years; I'm concerned that it seems the sort of thing that may well
require revision once it sees non-trivial deployment.  For example,
https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-February/028325.html
is a mail with some concerns from a GnuPG developer, and in the followup
from an OpenSSH developer it transpires that revocation isn't
implemented yet.  Isn't that likely to be pretty critical for a number
of large institutions?  I'm not criticising the OpenSSH developers for
this - hey, they did the work and I would be surprised if it weren't
pretty robust as far as it goes - but it's pretty clear that this is an
initial version that will require some extensions.

As for what could be done to convince me - I don't know, release it a
month earlier? :-)  Really, this is a time thing more than anything
else.  This is exactly the sort of thing that feature freeze is *for*.
The sheer size and newness (in design terms - it's a certification
system designed *from scratch*, albeit by competent cryptographic
implementors but still) of the feature just makes me more reluctant to
override feature freeze for it.

> The fact that OpenSSH included the features in a point release is a
> compelling argument to the importance of the feature and the quality of
> implementation.

No, that doesn't hold given OpenSSH's release history, I'm afraid.
Since 2.0 or so, OpenSSH has just incremented the "minor" number each
time, and bumped the "major" number when the "minor" number would
otherwise have hit 10.  There's little if any correlation between the
"minor" number and the character of the release, and 5.4p1 isn't a point
release the way it might be in other projects.  In terms of new
features, it's the most significant since at least 5.1, maybe 4.9.
(Note, too, that 5.5p1 is planned soon to address some new issues in
5.4p1.)

Once the dust settles a little, I am prepared to maintain a backport of
a version of OpenSSH with certificate authentication support in a
special archive for Lucid users (or possibly in lucid-backports,
although I don't know which people would tend to trust more; perhaps
both).  But I'm afraid I'm not persuaded that this should be *the*
version of OpenSSH in Ubuntu 10.04 LTS.  5.3p1 is pretty solid at this
point and I'm much more comfortable with it.

-- 
Update to OpenSSH 5.4p1
https://bugs.launchpad.net/bugs/535029
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.