|
Home > Archive > Debian Developers > October 2006 > Uploading openssh NMU for SELinux updates as per release policy
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Uploading openssh NMU for SELinux updates as per release policy
|
|
| Manoj Srivastava 2006-10-27, 1:24 am |
| Hi,
Three days ago, I sent in a patch in Bug#394795 which updated
SELinux patches to bring 'em in line with currently released SELinux
code in Debian. I updated that patch [0], and the binaries were
vetted by the debian installer folks, and ack'd. I have been running
the patched openssh binaries for over a week, and they ahve been
available for down load for the last three days or so.
I am planning on uploading this package to the 1 day delayed
queue, just in case, though it qualifies for the 0 day NMU. The
changes are the patch in the mail below, followed by autoreconf
(autoreconf was not run before generating the patch so as to not
drown out relevant changes in atoconf noise).
manoj
[0] http://bugs.debian.org/cgi-bin/bugr...95;msg=10;att=1
--
To stay youthful, stay useful.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Matthew Vernon 2006-10-27, 1:17 pm |
| Manoj Srivastava <srivasta@debian.org> writes:
> Hi,
>
> Three days ago, I sent in a patch in Bug#394795 which updated
> SELinux patches to bring 'em in line with currently released SELinux
> code in Debian. I updated that patch [0], and the binaries were
I know nothing about SELinux, so can't really comment on the patch. In
general, however, we encourage people wanting to patch openssh to talk
to upstream first: Trying to maintain substantial patch-sets between
openssh relseases just causes pain, particularly if the feature
involved is later implemented in upstream openssh, with differing
config options &c. Furthermore, if upstream don't like a patch, we are
naturally reluctant to deploy it ourselves.
Have the bits of this patch that aren't Debian-specific been even
shown to upstream? If not, please don't go slamming them willy-nilly
into Debian's openssh.
Matthew
--
"At least you know where you are with Microsoft."
"True. I just wish I'd brought a paddle."
http://www.debian.org
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Manoj Srivastava 2006-10-27, 1:17 pm |
| On 27 Oct 2006 13:26:53 +0100, Matthew Vernon <matthew@debian.org> said:
> Manoj Srivastava <srivasta@debian.org> writes:
[vbcol=seagreen]
> I know nothing about SELinux, so can't really comment on the
> patch. In general, however, we encourage people wanting to patch
> openssh to talk to upstream first: Trying to maintain substantial
> patch-sets between openssh relseases just causes pain, particularly
> if the feature involved is later implemented in upstream openssh,
> with differing config options &c. Furthermore, if upstream don't
> like a patch, we are naturally reluctant to deploy it ourselves.
That is an admirable policy, especially when applied to new
features. However, openssh already has SELinux -- but there is a wee
bit of bit-rot setting in. SELinux has changed; the SELinux
infrastructure shipping in Etch is different fro the one that the
patches are based on. It would be a bug if the features of SELinux
were degraded (MLS levels being set to the default, low capability
ones) if one used ssh to log in as opposed to directly logging in.
So, since this is just bringing bits of openssh in line with
the version of SELinux we ship, I think it would be a bug _not_ to
update the SELinux code in openssh.
> Have the bits of this patch that aren't Debian-specific been even
> shown to upstream? If not, please don't go slamming them willy-nilly
> into Debian's openssh.
This change brings us in line with the fedora amd gentoo
SELinux patches. so it might help getting it upstream,
manoj
--
If puns were deli meat, this would be the wurst.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|
|