port-macppc: Re: OF2.0 and/etc/mk.conf and ACCEPTABLE

Subject: Re: OF2.0 and/etc/mk.conf and ACCEPTABLE_LICENSES
To: Bill Studenmund <wrstuden@nas.nasa.gov>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: port-macppc
Date: 12/16/1999 16:25:57
On Thu, Dec 16, 1999 at 01:10:36PM -0800, Bill Studenmund wrote:
> Uhm, please don't steer folks away from the package system. Among other 
> things, we support it much more than we will support the type of
> install you describe. Plus deinstalling is MUCH easier. :-) To fix this 
> problem, "cp /usr/pkgsrc/mk/mk.conf.example /etc/mk.conf; vi /etc/mk.conf"

Bah... ssh builds clean, and installs itself outside of /usr/pkg
(unless you force it otherwise).  That, and I can make my own decisions
about RSAREF, etcetera. ;^>

Anyway, I only recomended it as there had been no (visible) response
to the original poster yet, I didn't know where the
mk.conf.example was kept, and I knew it had worked on every NetBSD
install I've done.

There aren't many things I install this way, but I'd like to stay more
up to date on daemons like ssh and apache (the only two which I run
that open ports) than the pkgsrc stays. But I'm a freak. So people
should definitely take Bill's advice over mine. :^>

> > Actually, you might want to look at OpenSSH (www.openssh.com) from the
> > OpenBSD project, but we don't have a Port for it right now and the
> > only Makefile around is the one that depends on a myriad of other
> > OpenBSD Makefiles. When I get some free time (ha!), I plan to write up
> > a Makefile to work with the source you can get from ftp.openbsd.org,
> > maybe even do a NetBSD port, presuming that isn't already in the works
> > (and I sincerely hope it is, considering the recent really scary
> > security problems in ssh 1.2.13+ and in the RSAREF2 library, neither
> > of which are a concern with OpenSSH).

Any comments on the OpenSSH front, Bill?

I mean, it shouldn't be hard to draw the port in from OpenBSD, should
it? This isn't, of course, really a macppc issue, and I should
probably just go bug the ports maintainer, I guess.

For those who missed the bugtraq banter, there are some buffer
overflows in the RSAREF2 library that ssh-1.2.2x uses, as well as an
inherent security vulnerability in the way that ssh-1.2.13 and later
have handled root priveleges that don't exist in OpenSSH because it
was taken from the ssh-1.2.12 sources (which are still free for use,
as opposed to those from after ssh.com incorporated) and updated to
the current features of the ssh-1.2.x line. This means it doesn't have
the RSAREF2 vulnerabilities (since it doesn't link against those
libraries) nor the mishandling of root uid (since it doesn't split
processes in ssh-1.2.13+'s misguided way), and does interact
seamlessly with other ssh1-protocol daemons and clients.

> About shaddow passwords, you're using them. Look at /etc/passwd and
> /etc/master.passwd. You won't find passwords in the former, and if you're
> not root, you won't find passwords in the latter. :-)

Whoops, forgot that. What Bill said. :^>

       ~ g r @ eclipsed.net