[gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

[gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

[Joshua Kinard]

So I stumbled into Bug #733802, which now defaults the 'scp' USE flag to off
in net-misc/openssh.  This seems like something that needs a news entry, or
at least a "heads up" on the mailing list?  Potential for some scripts to
break if scp suddenly goes missing after an openssh update.

-- 
Joshua Kinard
Gentoo/MIPS
kumba@gentoo.org
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

[Rich Freeman]

On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard <kumba@gentoo.org> wrote:
>
> This seems like something that needs a news entry, or
> at least a "heads up" on the mailing list?

Definitely not a "heads up" on the mailing list - that is not an
appropriate way to communicate anything to users - not even devs are
required to read this list.

The two appropriate ways to communicate something like this are
einfo/ewarn/etc or news.  Never hurts to use news.  Ideally I'd point
to a substitute, and I'd suggest one myself if I were aware of one...

-- 
Rich

Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

[John Helmert III]

[-- Attachment #1: Type: text/plain, Size: 1440 bytes --]

On Sat, Jul 25, 2020 at 08:05:14PM -0400, Rich Freeman wrote:
> On Sat, Jul 25, 2020 at 7:40 PM Joshua Kinard <kumba@gentoo.org> wrote:
> >
> > This seems like something that needs a news entry, or
> > at least a "heads up" on the mailing list?
> 
> Definitely not a "heads up" on the mailing list - that is not an
> appropriate way to communicate anything to users - not even devs are
> required to read this list.
> 
> The two appropriate ways to communicate something like this are
> einfo/ewarn/etc or news.  Never hurts to use news.  Ideally I'd point
> to a substitute, and I'd suggest one myself if I were aware of one...

Just to have this information here for easy access, this is upstream's
response from that bug's URL [1]. They recommend "rsync or something else":

    The scp command is a historical protocol (called rcp) which relies
    upon that style of argument passing and encounters expansion
    problems. It has proven very difficult to add "security" to the scp
    model. All attempts to "detect" and "prevent" anomalous argument
    transfers stand a great chance of breaking existing workflows. Yes,
    we recognize it the situation sucks. But we don't want to break the
    easy patterns people use scp for, until there is a commonplace
    replacement. People should use rsync or something else instead if
    they are concerned.

[1] https://github.com/cpandya2909/CVE-2020-15778/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

[Toralf Förster]

[-- Attachment #1.1: Type: text/plain, Size: 329 bytes --]

On 7/26/20 2:05 AM, Rich Freeman wrote:
> The two appropriate ways to communicate something like this are
> einfo/ewarn/etc or news.  Never hurts to use news.  Ideally I'd point
> to a substitute, and I'd suggest one myself if I were aware of one...

ewarn please, einfo is too weak

-- 
Toralf
PGP 23217DA7 9B888F45


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

>>>>> On Sun, 26 Jul 2020, Rich Freeman wrote:

> Definitely not a "heads up" on the mailing list - that is not an
> appropriate way to communicate anything to users - not even devs are
> required to read this list.

> The two appropriate ways to communicate something like this are
> einfo/ewarn/etc or news.  Never hurts to use news.  Ideally I'd point
> to a substitute, and I'd suggest one myself if I were aware of one...

Even more appropriate would be to enable the flag with an IUSE default.
The ebuild could still display an ewarn message pointing out the alleged
security issue.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] Bug #733802, USE 'scp' now defaults to off in net-misc/openssh

[Joonas Niilola]

[-- Attachment #1.1: Type: text/plain, Size: 313 bytes --]


On 7/26/20 12:57 PM, Ulrich Mueller wrote:
> Even more appropriate would be to enable the flag with an IUSE default.
> The ebuild could still display an ewarn message pointing out the alleged
> security issue.
>
> Ulrich

This'd be nice. A news-worthy update in my opinion regardless.

-- juippis



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 642 bytes --]