Your message dated Mon, 05 Dec 2022 09:46:04 -0800
with message-id <87lenlrbfn.fsf@contorta>
and subject line Re: Bug#1025455: libssh-dev: DSA support is disabled by default
has caused the Debian Bug report #1025455,
regarding libssh-dev: DSA support is disabled by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1025455: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025455
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libssh
Version: 0.10.4-2
Severity: important
Tags: patch
X-Debbugs-Cc: Vagrant Cascadian <[email protected]>
Control: block 1020087 by -1
In libssh 0.10.x versions, DSA support is deprecated and disabled by
default. This causes test suite failures when building guile-ssh which
tests support for DSA keys.
The attached patch enables DSA support, as was supported in previous
versions.
If that is not an option in time for bookworm freeze, please let me know
ASAP so I can patch guile-ssh instead.
Thanks for maintaining libssh!
live well,
vagrant
From d3963761a4e2666187e4fb5281f5f45c9e8a106f Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <[email protected]>
Date: Mon, 5 Dec 2022 00:19:05 +0000
Subject: [PATCH] debian/rules: Enable DSA support.
Upstream 0.10.x disables DSA support by default, and is likely to be
deprecated in future versions.
---
debian/rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/rules b/debian/rules
index fb55ca2..880aa59 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,6 +1,6 @@
#!/usr/bin/make -f
-DEB_CMAKE_EXTRA_FLAGS := -DBUILD_STATIC_LIB=ON -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) -DUNIT_TESTING=$(if $(filter nocheck,$(DEB_BUILD_OPTIONS)),OFF,ON) -DWITH_GSSAPI=ON
+DEB_CMAKE_EXTRA_FLAGS := -DBUILD_STATIC_LIB=ON -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) -DUNIT_TESTING=$(if $(filter nocheck,$(DEB_BUILD_OPTIONS)),OFF,ON) -DWITH_GSSAPI=ON -DWITH_DSA=ON
export DEB_LDFLAGS_MAINT_APPEND = -Wl,-z,defs -Wl,-O1
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
--
2.30.2
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
On 2022-12-05, Martin Pitt wrote:
> Vagrant Cascadian [2022-12-04 16:45 -0800]:
>> In libssh 0.10.x versions, DSA support is deprecated and disabled by
>> default.
>
> This was indeed intended [1].
>
>> This causes test suite failures when building guile-ssh which
>> tests support for DSA keys.
>>
>> The attached patch enables DSA support, as was supported in previous
>> versions.
>> -DEB_CMAKE_EXTRA_FLAGS := -DBUILD_STATIC_LIB=ON
>> -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) -DUNIT_TESTING=$(if
>> $(filter nocheck,$(DEB_BUILD_OPTIONS)),OFF,ON) -DWITH_GSSAPI=ON
>> +DEB_CMAKE_EXTRA_FLAGS := -DBUILD_STATIC_LIB=ON
>> -DLIB_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) -DUNIT_TESTING=$(if
>> $(filter nocheck,$(DEB_BUILD_OPTIONS)),OFF,ON) -DWITH_GSSAPI=ON -DWITH_DSA=ON
>
>> If that is not an option in time for bookworm freeze, please let me know
>> ASAP so I can patch guile-ssh instead.
>
> If at all possible, I'd rather not enable it in the Debian package. DSA isn't
> an acceptable crypt algorithm any more, and I'd rather not support it for
> another Debian release. OpenSSH deprecated it two years ago [2], the Fedora
> package does not enable it either [3], and libssh upstream will remove it in
> the next major version.
Yeah, I figured something along those lines might be the case, thanks
for clarity!
> Can guile-ssh be built easily without DSA support? If so, that'd be great (and
> then let's reassign or just close this bug). Otherwise I can have a look and
> help you with disabling the DSA feature in guile.
I've managed to patch it out of the guile-ssh test suite, at least
enough to get it to build a newer version in debian/experimental...
there may be bugs lurking in guile-ssh code if anyone actually tries to
use DSA with it, but that is not really for you to worry about at this
point.
Thanks for the quick response!
live well,
vagrant
signature.asc
Description: PGP signature
--- End Message ---
