current-users: Re: today's openssh version 3.7

Subject: Re: today's openssh version 3.7
To: None <current-users@NetBSD.org>
From: William Allen Simpson <wsimpson@greendragon.com>
List: current-users
Date: 09/19/2003 00:59:51
Frederick Bruckman wrote:
> 
> That's exactly backwards. OpenSSH is one of the few new programs
> that's been admitted to the base system since NetBSD was born. If
> anything, we should be getting rid of the "openssl" and "openssh"
> packages.
> 
> As far as timely maintenance in the face of a known security issue
> goes, the package system pales in comparison to the base. From the
> maintainer's point of view, in the base system, you just commit the
> tiny fix to the code, while for pkgsrc, you have to deal with automake
> or even crazier build systems, generate patches and PLISTS, and so on.

But the package itself has been updated in the canonical source.  So, 
checking the patches can't be that bad.  Perhaps the package make 
system is too hard to use?


> >From the user's POV, the base system requires only a cvs update, build
> and install, 

Then, you have 1,000 (10,000? 100,000?) folks like me waiting about 14 
hours for `cvs up`, compiling -current, discovering that the build fails, 
re-cvs (only about 7 hours this time), -u build, discover the flist is 
bad, re-cvs, -u distribution (still running at this moment)....  

Basically, 2+ days, and still not updated, and this on a dedicated 
test machine.  I shudder to think what production systems are doing.

Presumably, since I'm connected to Internet II, it's not connection 
speed that took the CVS so long each time ;-)

Presumably, that was due to heavy load on the CVS servers :-(

I conclude it doesn't scale!


> while for pkgsrc, you have to do the cvs update, update
> your tools before the build, and update dependencies after.
> 
True, I did have to update pkg tools -- apparently they changed a few 
days ago, and an error message informed me, and I had to stop and 
manually update them, rather than everything happening automatically. 

But the CVS and compile took less than 2 hours, and only that long 
because the openssh package inexplicably depended on perl!

Never-the-less, I started this thread because (much to my surprise) 
debian took less than 2 minutes!  It's also easier!  And it scales!

Perry (and others) say there are some ideas about the future, and I'm 
interested in helping make that happen.  The status quo is not good.
-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32