gridcf / gct

Grid Community Toolkit
Apache License 2.0
48 stars 30 forks source link

Remove obsolete GSI-OpenSSH 7.5p1 for Debian #198

Closed fscheiner closed 2 years ago

fscheiner commented 2 years ago

Fixes #170

fscheiner commented 2 years ago

I worked on a GSI-OpenSSH w/HPN package for Debian GNU/Linux 11 based on the corresponding OpenSSH 8.4p1 since a while and it is available from the OBS now:

https://build.opensuse.org/package/show/home:frank_scheiner:gsi-openssh-debian-11/gsi-openssh (Repo for Debian)

Follow the instructions on https://en.opensuse.org/openSUSE:Build_Service_Debian_builds#Configuring_sources.list to allow installations from this repository. The needed key is https://download.opensuse.org/repositories/home:/frank_scheiner:/gsi-openssh-debian-11/Debian_11/Release.key.

Just for the record, these are the results from testing this version of GSI-OpenSSH on Debian GNU/Linux 11:

johndoe@gridftp-5:~$ sudo ~/bin/test-gss-kex-for-gsi-openssh.bash gridftp-5.domain.tld johndoe2
gsisshd: OpenSSH_8.4p1c-GSI GSI-hpn15v1 Debian-1.1, OpenSSL 1.1.1n  15 Mar 2022
gsissh: OpenSSH_8.4p1c-GSI GSI-hpn15v1 Debian-1.1, OpenSSL 1.1.1n  15 Mar 2022

Wait 3 seconds for startup of gsisshd ...

gss-gex-sha1- OK
gss-group1-sha1- OK
gss-group14-sha256- OK
gss-nistp256-sha256- OK
gss-curve25519-sha256- OK
gss-group16-sha512- OK

So we can now remove the obsolete GSI-OpenSSH 7.5p1 for Debian from the /packaging/debian directory. The /packaging/fedora directory doesn't contain a RPM spec file for GSI-OpenSSH either. This because we usually want to provide a GSI-OpenSSH version that is based on the OpenSSH version available for the respective OS version.

fscheiner commented 2 years ago

You seem to remove the whole packaging/debian/gsi-openssh/ directory, is that intended?

Yes, exactly so. That code is unmaintained (i.e. the OpenSSH 7.5p1 source misses any updates or backports for this version, it also does not have any of the Debian patches for this version) and also not really useful anymore. Who would use such an old version voluntarily, if at all it still compiles with newer OpenSSL versions?

Concerning the version, in principle, I presume we no longer need to support 7.5p1, and old-stable has 7.4

That's already oldoldstable aka Stretch.

, not 7.5. Only buster's openssh v1 is 7.5 but I don't think that would be needed.

Yeah. And I intentionally started with a GSI-OpenSSH for current Debian stable. I might consider creating GSI-OpenSSH packges for Debian based on OpenSSH 7.9 for oldstable (Buster), though this won't have support for SHA256 and SHA512 based GSSKEX methods AFAIK, same like the GSI-OpenSSH 7.4 in EPEL7.

msalle commented 2 years ago

You seem to remove the whole packaging/debian/gsi-openssh/ directory, is that intended?

Yes, exactly so. That code is unmaintained (i.e. the OpenSSH 7.5p1 source misses any updates or backports for this version, it also does not have any of the Debian patches for this version) and also not really useful anymore. Who would use such an old version voluntarily, if at all it still compiles with newer OpenSSL versions?

ok, my point was more that I wasn't sure it wasn't still used elsewhere but didn't realise we don't yet have gsi-openssh in Debian.

Concerning the version, in principle, I presume we no longer need to support 7.5p1, and old-stable has 7.4

That's already oldoldstable aka Stretch.

again there I had been misreading things, sorry. You're totally right that we shouldn't support stretch

, not 7.5. Only buster's openssh v1 is 7.5 but I don't think that would be needed.

Yeah. And I intentionally started with a GSI-OpenSSH for current Debian stable. I might consider creating GSI-OpenSSH packges for Debian based on OpenSSH 7.9 for oldstable (Buster), though this won't have support for SHA256 and SHA512 based GSSKEX methods AFAIK, same like the GSI-OpenSSH 7.4 in EPEL7.

indeed,that makes perfect sense. Just debian stable for now is fine

fscheiner commented 2 years ago

Yes, exactly so. That code is unmaintained (i.e. the OpenSSH 7.5p1 source misses any updates or backports for this version, it also does not have any of the Debian patches for this version) and also not really useful anymore. Who would use such an old version voluntarily, if at all it still compiles with newer OpenSSL versions?

ok, my point was more that I wasn't sure it wasn't still used elsewhere but didn't realise we don't yet have gsi-openssh in Debian.

Indeed, there is no GSI-OpenSSH for Debian yet - we had a discussion about the reasons some time ago - and I also checked if it is needed anywhere else in the "standard" GCT build process and it is not AFAICT. The only thing that won't work after merging ths PR is:

make gsi_openssh-deb

...but doing that doesn't work out of the box anyhow, because you'd need to build and install the build dependencies first manually.

But with GSI-OpenSSH packages for Debian stable this isn't needed any longer and also not really useful taking into account that each Debian version has its own specific version of OpenSSH.


Thanks for having a look. And I'll merge this now.