Hi Job, Thanks for reaching out.
On Wed, Jul 30, 2025 at 10:57:06AM +0000, Job Snijders wrote: > Today I stumbled across the "temporary workaround" patch that is > https://sources.debian.org/src/openssh/1:8.4p1-5+deb11u3/debian/patches/revert-ipqos-defaults.patch/ > caused by this report: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923880 > > Reading the associated threads it seems that VMware fixed their > products by now, but I wasn't able to find pointers to threads that > describe the problem in iptables and the solution (or if any solution > was created?). > > Do you know whether the revert-ipqos-defaults.patch really still is > needed? As the submitter of the issue, I am in favour of dropping the patch at the beginning of the forky cycle. Rationale as follows. * If I remember correctly, the change was introduced relatively close to a freeze and it posed difficulties to adapt iptables. Hence, I proposed *temporarily* reverting the change in ssh to give users more time to adapt and prepare. * It is now clear that iptables will not be fixed. The suggested workaround is to use numeric values. This workaround is deployable on old iptables versions. * We're transitioning from iptables to nftables, so compatibility with iptables becomes less of a concern. It still is, but the weight of the argument decays. * Debian is now deviating from the rest of the world and such deviation is always a downside. The change likely warrants a NEWS entry. > But it seems Colin Watson doesn't want to remove the > revert-ipqos-defaults patch without users or developers confirming the > issue is resolved. This characterization seems unlikely to me. I'd like to hear what Colin says himself. Helmut
