Opened 5 years ago
Last modified 5 years ago
#59016 closed defect
[openssh/openssl] : Apple keychain patch update should have blocked openssl upgrade — at Version 8
| Reported by: | RJVB (René Bertin) | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | security | Cc: | yan12125 (Chih-Hsuan Yen), majoc-at-astro (majoc-at-astro) |
| Port: | openssh |
Description (last modified by ryandesign (Ryan Carsten Schmidt))
Evidently I only discover this after upgrading myself:
# TODO: Update patch 0002-Apple-keychain-integration-other-changes.patch to use OpenSSL 1.1 APIs.
(Introduced during [c15ce48157fd32bd5362ce868b9e32a54ea4d089/macports-ports])
I never realised until now that this patch isn't applied outside of any variants because it so useful, and once you are used to the possibility to store and fetch certificates (or their passphrases) from the keychain you become dependent on it very quickly. (Here's why my local efforts to keep OpenSSL 1.0x and 1.1x installed in parallel pay off, I can simply revert OpenSSH temporarily).
I'll try to find some time to update the patch but will appreciate if someone beats me to it.
Change History (8)
comment:1 Changed 5 years ago by RJVB (René Bertin)
| Description: | modified (diff) |
|---|
comment:2 Changed 5 years ago by kencu (Ken)
comment:3 Changed 5 years ago by RJVB (René Bertin)
True, I didn't think of that - but was it done in such a way that you can install port:openssl10 and then upgrade port:openssl without an immediate need to rebuild all dependents? ;)
Awkward name for the PG, BTW. I think I mentioned it on the 1.1 PR: this would have been an occasion to write an ssl PG. Such a general PG could also provide the depspecs in an appropriate fashion and contain whatever glue is required to opt in to LibreSSL and whatever other alternative implementations there are.
comment:4 Changed 5 years ago by neverpanic (Clemens Lang)
Feel free to update this patch to use OpenSSL 1.1 APIs or find a version somewhere else upstream that has done so already. Maybe Apple did actually update it already and it's on opensource.apple.com?
Given the nature of the OpenSSL update, we can't test every single variant of every port and wait for these to be adapted, I'm sorry.
comment:5 Changed 5 years ago by RJVB (René Bertin)
But this issue was identified as evidenced by the comment, and the OSSL update procedure took so long that this could easily have been taken care of it (I presume, I'm not familiar with the code).
I know there's some urgency to security-related upgrades but if they break too many key features you only achieve that users hold off from upgrading, or roll back.
comment:6 Changed 5 years ago by RJVB (René Bertin)
opensource.apple.com does have 7.9p1 (identified by Apple's own weird versioning, fortunately there's a version.h file that contains the real version): https://opensource.apple.com/source/OpenSSH/OpenSSH-220.231.1/
However, there are no patch files in there. Where did the 0002* patchfile come from?
comment:7 Changed 5 years ago by majoc-at-astro (majoc-at-astro)
| Cc: | majoc-at-astro added |
|---|
comment:8 Changed 5 years ago by ryandesign (Ryan Carsten Schmidt)
| Description: | modified (diff) |
|---|
macports is keeping openssl 1.0 and 1.1 in parallel also.
check out old_openssl PG, for ex.