port-macppc: Re: OF2.0 and/etc/mk.conf and ACCEPTABLE

Subject: Re: OF2.0 and/etc/mk.conf and ACCEPTABLE_LICENSES
To: gabriel rosenkoetter <gr@eclipsed.net>
From: David Brownlee <abs@netbsd.org>
List: port-macppc
Date: 12/16/1999 21:54:23
On Thu, 16 Dec 1999, gabriel rosenkoetter wrote:

> Bah... ssh builds clean, and installs itself outside of /usr/pkg
> (unless you force it otherwise).  That, and I can make my own decisions
> about RSAREF, etcetera. ;^>
> 
	As you can in pkgsrc - I set 'USE_RSAREF2=NO', but then again
	I'm outside the US (currently :), and you can set PREFIX=/xxx
	to make pkgsrc install wherever you want.

> Anyway, I only recomended it as there had been no (visible) response
> to the original poster yet, I didn't know where the
> mk.conf.example was kept, and I knew it had worked on every NetBSD
> install I've done.
> 
	I was updating the Documentation/software/packages.html#mk.conf
	webpage to mention rc.conf and include a link to the current
	ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/mk/mk.conf.example
	:)

> There aren't many things I install this way, but I'd like to stay more
> up to date on daemons like ssh and apache (the only two which I run
> that open ports) than the pkgsrc stays. But I'm a freak. So people
> should definitely take Bill's advice over mine. :^>
> 
	I used to try to keep up to date on many different packages, then
	found with pkgsrc I could install 'pkglint' and run 'lintpksrc -i'
	which would report all the out of date packages (Ok, so I cheated
	and wrote 'lintpksrc -i' in the first place, but it still leaves
	me much more time for other things)

	For things that you really want to track up to the minute you can
	just modify your local pkgsrc entry (and even submit it back in a
	PR so everyone else can benefit - hint hint :)

	Its particularly nice to know which version of anything you have
	installed via 'pkg_info'.

> Any comments on the OpenSSH front, Bill?
> 
> I mean, it shouldn't be hard to draw the port in from OpenBSD, should
> it? This isn't, of course, really a macppc issue, and I should
> probably just go bug the ports maintainer, I guess.
> 
	I believe someone was looking at it, but the source was not
	available in a form that made this easy...

> For those who missed the bugtraq banter, there are some buffer
> overflows in the RSAREF2 library that ssh-1.2.2x uses, as well as an
> inherent security vulnerability in the way that ssh-1.2.13 and later
> have handled root priveleges that don't exist in OpenSSH because it
> was taken from the ssh-1.2.12 sources (which are still free for use,
> as opposed to those from after ssh.com incorporated) and updated to
> the current features of the ssh-1.2.x line. This means it doesn't have
> the RSAREF2 vulnerabilities (since it doesn't link against those
> libraries) nor the mishandling of root uid (since it doesn't split
> processes in ssh-1.2.13+'s misguided way), and does interact
> seamlessly with other ssh1-protocol daemons and clients.
> 
	Those using USE_RSAREF2=NO in their /etc/mk.conf would never
	have had a vulnerable ssh. Those who were using rsaref just need
	to update to the latest source.

	That said - I also agree openssh is a good thing and would love a
	pkgsrc entry :)

		David/absolute