On Tue, Apr 02, 2024 at 01:30:10AM +0100, Colin Watson wrote:
* add dependency-only packages called something like openssh-client-gsskex and openssh-server-gsskex, depending on their non-gsskex alternatives * add NEWS.Debian entry saying that people need to install these packages if they want to retain GSS-API key exchange support * add release note saying the same* for Debian trixie+1 (or maybe after the next Ubuntu LTS, depending on exact timings): * add separate openssh-gsskex source package, carrying gssapi.patch in addition to whatever's in openssh, and whose binary packages Conflicts/Replaces/Provides the corresponding ones from openssh * add some kind of regular CI to warn about openssh-gsskex being out of date relative to openssh * drop gssapi.patch from openssh, except for small patches to configuration file handling to accept the relevant options with some kind of informative warning (compare https://bugs.debian.org/152657)
To speed things up for those who really want it, perhaps make openssh-client/server dependency-only packages on openssh-client/server-nogss? People can choose the less-compatible version for this release if they want to, and the default can change next release. Pushing back the ability to install the unpatched version for a few more years seems suboptimal.
