-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 19 May 2008, Kees Cook wrote:
> On Mon, May 19, 2008 at 08:21:04PM +0100, Paul Sladen wrote:
> > The 'openssh-blacklist' package is currently "questionably useful" on
> That's a very old version of dpkg that doesn't support bzip2.
Ubuntu has shipped with a dpkg that did not include bzip2 support[0]; and
that was not so very long ago. Sarge was the first version of Debian to
ship with a bzip2-capable dpkg, which was *less than 3 years ago*[1].
Put simply. Anyone with a three-year old Debian install was either running
pre-release software at install time, or *may[2] have hit this issue*.
> The space-savings is non-trivial,
The space-savings from bzip2'ing 'openssh-server' and 'openssh-client' are
greater than the saving from bzip2'ing 'openssh-blacklist'.[3]
> so bzip2 is going to stay [for 'openssh-blacklist']
If 'openssh-server' and 'openssh-client' are deamed important enough to be
'gziped' then any hard dependencies should be treated the same---otherwise
the core (gziped) package is uninstallable[4] and the entire dependency tree
for 'sshd' might as well be bziped.
If new dependencies are introduced [during a security fix] I think an extra
100kB on the mirror is preferable to *zero or more* broke packaging setups
on systems.[5] (The installed on-disk size for the user is the same)[6][7].
When packages started to be bziped in Ubuntu (eg. OOo) those packages
received 'Pre-Depends: >=1.10.24' for dpkg; I would hope the same is true
for more system critical packages.
I would rather see something fail cleanly, than break. Leaving both the
packaging system in an inconsistent state and no 'sshd' running.[7]
Any security fix should ideally be doing the minimum of alteration, and
require the minimum of intervention. The OpenSSH update was a /critical/
security update, in response to a /critical/ bug introduced early.
I hope that the update can be made available as a distro-signed binary
package for as many affected systems as possible, without the further risk
of leaving any of the those machines broken.
It is not the security fix that has lead to a breakage.
It is _new_ code and the packaging choices made with it:
1). A hard 'Depends:' for a non-critical (but good-idea) extension.
2). Use of a non-critical (but mild space-saving) packaging extension.
3). Non-use of a non-critical (but good practice) Pre-Depends: safety net.
4). Installation on a not-the-latest (but well serving) Debian system.
It is the unfortunately coincidental combination of all four. I'm happy
to supply patches to update any of the three avenues, should you have a
preference.
-Paul
[0]
http://changelogs.ubuntu.com/changelogs/pool/main/d/dpkg/dpkg_1.10.22ubuntu2.1/changelog
although not an LTS release.
[1] Sarge (Debian 3.1), released on 2005-06-06.
(buggy) openssl 0.9.8c-1 uploaded on 2006-09-17.
[2] Depending on the exact set of intermediate updates/upgrades.
[3] Saving of 121639 bytes vs. 117867 bytes (i386 and all
respectively). The saving on the binaries packages massively outweighs
the saving on the all package when multiplied across 12 architectures.
Note: the advdef (in 'advancecomp') deflater beats .bzip2 on the
'openssh-blacklist/data.tar' and is still backwards compatibile with
older versions of dpkg.
[4] In the situations where it is deamed preferable to have .gz
[5] That size even comes up, I fear, is a distraction from the packaging
compatibility issue.
[6] As an interesting aside, with a raw binary packing of the hash blobs,
the .gz, beats no packing, beats .bz2.
[7] I no longer have immediate access to the first machine I hit this
on; I had closed the ssh session and have not location why 'sshd' had
been stopped before the installation failed. Why, I don't know.
--
Why do one side of a triangle when you can do all three. Somewhere, GB.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFIMgjTc444tukM+iQRAr22AJ9OcDTf0vYF6NfL3dbNbSD/9YpffwCeLbfM
RfysF67ngvoB9pv6GJAgUGs=
=sabs
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
