From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1648652-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 9324815802E
	for <garchives@archives.gentoo.org>; Mon,  1 Jul 2024 10:22:16 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8AFD82BC013;
	Mon,  1 Jul 2024 10:22:15 +0000 (UTC)
Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 6D9BA2BC013
	for <gentoo-commits@lists.gentoo.org>; Mon,  1 Jul 2024 10:22:15 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 26153335D6B
	for <gentoo-commits@lists.gentoo.org>; Mon,  1 Jul 2024 10:22:14 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 7845C15F7
	for <gentoo-commits@lists.gentoo.org>; Mon,  1 Jul 2024 10:22:12 +0000 (UTC)
From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" <sam@gentoo.org>
Message-ID: <1719829322.b9aab3ef968b7a6d58fa215223d116b98af7d399.sam@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/
X-VCS-Repository: repo/gentoo
X-VCS-Files: net-misc/openssh/openssh-9.8_p1-r1.ebuild net-misc/openssh/openssh-9.8_p1.ebuild
X-VCS-Directories: net-misc/openssh/
X-VCS-Committer: sam
X-VCS-Committer-Name: Sam James
X-VCS-Revision: b9aab3ef968b7a6d58fa215223d116b98af7d399
X-VCS-Branch: master
Date: Mon,  1 Jul 2024 10:22:12 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 301c9161-de00-4ef5-a5ef-0e89092555df
X-Archives-Hash: 4fa3ea59f9b459e975a2f9ea2a4a1ba7

commit:     b9aab3ef968b7a6d58fa215223d116b98af7d399
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Mon Jul  1 09:59:36 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Jul  1 10:22:02 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9aab3ef

net-misc/openssh: restart sshd on major version upgrades

openssh-9.8_p1 again breaks cross-version compatibility, meaning that
a running sshd with 9.7_p1 will no longer be able to accept connections
after upgrading to 9.8_p1.

We tried doing a news item on this in the past (bug #709748) and it ended
up being insufficient and poorly coordinated (as you really need it again
when stabling).

Nobody is going to thank us for leaving their sshd broken, so pick
the lesser evil and attempt to restart sshd on major version upgrades.

This is especially important as people may be racing to upgrade to 9.8_p1
for the CVE-2024-6387 fix (although we have backported a fix to older versions).

I also note there's precedent here with e.g. the systemd rebuild where
it's done to avoid immediate breakage of user sessions.

Thanks to kerframil who proposed a snippet for this some time ago whose
work I've lifted here.

Bug: https://bugs.gentoo.org/709748
Bug: https://bugs.gentoo.org/935271
Signed-off-by: Sam James <sam <AT> gentoo.org>

 ...nssh-9.8_p1.ebuild => openssh-9.8_p1-r1.ebuild} | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/net-misc/openssh/openssh-9.8_p1.ebuild b/net-misc/openssh/openssh-9.8_p1-r1.ebuild
similarity index 93%
rename from net-misc/openssh/openssh-9.8_p1.ebuild
rename to net-misc/openssh/openssh-9.8_p1-r1.ebuild
index 4d382b9b6ac6..9a15dd231570 100644
--- a/net-misc/openssh/openssh-9.8_p1.ebuild
+++ b/net-misc/openssh/openssh-9.8_p1-r1.ebuild
@@ -395,4 +395,37 @@ pkg_postinst() {
 		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"
 		elog "and update all clients/servers that utilize them."
 	fi
+
+	openssh_maybe_restart
+}
+
+openssh_maybe_restart() {
+	local ver
+	declare -a versions
+	read -ra versions <<<"${REPLACING_VERSIONS}"
+	for ver in "${versions[@]}"; do
+		# Exclude 9.8_p1 because it didn't have the safety check
+		[[ ${ver} == 9.8_p1 ]] && break
+
+		if [[ ${ver%_*} == "${PV%_*}" ]]; then
+			# No major version change has occurred
+			return
+		fi
+	done
+
+	if [[ ${ROOT} ]]; then
+		return
+	elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then
+		ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
+		ewarn "bricking the running instance. See bug #709748."
+		ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'"
+		systemctl try-restart sshd
+		eend $?
+	elif [[ -d /run/openrc ]]; then
+		ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
+		ewarn "bricking the running instance. See bug #709748."
+		ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'"
+		rc-service -q --ifstarted --nodeps sshd restart
+		eend $?
+	fi
 }