On Tue, Apr 02, 2024 at 01:30:10AM +0100, Colin Watson wrote:
* add dependency-only packages called something like
openssh-client-gsskex and openssh-server-gsskex, depending on their
non-gsskex alternatives
* add NEWS.Debian entry saying that people need to install these
packages if they want to retain GSS-API key exchange support
* add release note saying the same
* for Debian trixie+1 (or maybe after the next Ubuntu LTS, depending on
exact timings):
* add separate openssh-gsskex source package, carrying gssapi.patch
in addition to whatever's in openssh, and whose binary packages
Conflicts/Replaces/Provides the corresponding ones from openssh
* add some kind of regular CI to warn about openssh-gsskex being out
of date relative to openssh
* drop gssapi.patch from openssh, except for small patches to
configuration file handling to accept the relevant options with
some kind of informative warning (compare
https://bugs.debian.org/152657)
To speed things up for those who really want it, perhaps make
openssh-client/server dependency-only packages on
openssh-client/server-nogss? People can choose the less-compatible
version for this release if they want to, and the default can change
next release. Pushing back the ability to install the unpatched version
for a few more years seems suboptimal.