Hello! Somewhat recently, I submitted a PR for OpenSSH 8.9p1 to bring it -current with the release on openssh.com, and it was merged, and all seemed well with the world, or at least that port, ever so briefly. ;)
Not long after, via Trac, thetrial (alabay) indicated an error with the +gsskex variant on OS X El Capitan, which I certainly hadn't tested with my initial Portfile diff and merged PR. After a bit of rummaging around for a laptop I could access which still had OS X El Capitan installed, I determined that while the issue indicated was reproducible, it had more to do with the +gsskex variant and attempting to apply a patch for 8.8p1. In other words: the issue is not constrained to El Capitan, it is instead related to the +gsskex variant and a patch which no longer applies cleanly to the 8.9p1 codebase. However, this is a patch (i.e. GSSAPI/gsskex) which has been rejected from the upstream OpenSSH project, for over two decades now. The wording in the patch itself is rather cautionary in nature with some salient quotes from the OpenSSH developer community as far as why they rejected it and I pasted that quote as an excerpt in the comments in my next PR effort, which removed references to the patch, as well as removed the patch itself from the files subdirectory for the OpenSSH port. That PR is here: https://github.com/macports/macports-ports/pull/14193 Additionally, it appears as if the original author of the patch, Simon Wilkinson, has also abandoned it, with http://www.sxw.org.uk/computing/patches/ where it previously resided, presently redirecting to what appears to be his Lighting and Design career website? Looking a little bit more deeply into this, aside from getting some helpful suggestions from Herby (who also suggested I email this mailing list, hence this message) I couldn't help but notice that there are still various patches in the OpenSSH port files subdirectory related to the no longer extant in the Portfile HPN variant, which also appears to have been deprecated for quite some time? I know FreeBSD's port also abandoned their HPN related OpenSSH patches some years ago as well, though I admit I never paid close attention to that variant with MacPorts to know its lifecycle. In other words: the OpenSSH port has been without a maintainer, and the Portfile and associated files subdirectory seem to have accrued some bitrot. While I can presumably amend my last PR or submit another PR with a bit of additional housekeeping to remove the HPN related files for example, in addition to my extant minimalist effort to simply eliminate errors in the +gsskex variant (admittedly, without actually removing references to it with the variant stanzas entirely from the Portfile, which is probably a wiser decision along that line of thought) it seems as if it might be worthwhile to bring some of these issues to the attention of the larger MacPorts developer community for perspective and hopefully helpful suggestions? Maybe it is my nerves talking, but especially given that I do not have commit access and am not the most facile with GitHub having only had three PRs merged into MacPorts thus far; I don't feel as if I have a lot of confidence in my actions as related to git presently (I'm an older than CVS kind of coder, some newfangled Linuxisms rife tools don't sit well with me). Moreover, maybe some people really liked the +gsskex/GSSAPI patch for OpenSSH which is why they had refactored it for 8.8p1? To me, the gsskex variant kind of screams: "yikes, plausible attack surface" and like the deprecated HPN patches, it and its associated references and files are worth jettisoning, but I do not profess to be an authoritative source for any of that so much as I am sharing my opinion. What do others think? Feedback is welcome! I didn't mean to harsh on Renee in the PR comments either, but Renee was pretty up front about not actually using the OpenSSH port, so I would mostly appreciate perspective from individuals who do actually use the OpenSSH port and have some "skin in the game" as the idiomatic expression goes. For the life of me, I can't really see much good coming from the +gsskex/GSSAPI variant, but I also do not presently administer any Kerberos related infrastructure at the moment (thankfully, if slightly tangentially, I also do not administer any yp related infrastructure these days anymore and can blissfully only recall them and their associated security holes with ypcat abuses as distant early 1990s memories now). Thank you in advance for any wisdom you may be able to share on this issue! | グ レ ェ ーgrey p.s. Happy π day!
