Created attachment 336016 [details] build.log During the openssh-6.1_p1-r1[ldns] update, which depends on ldns[ssl] this one came up. It only shows with unstable openssh-1.0.1c. Stable openssl-1.0.0j/ldns-1.6.12 is not affected. Portage 2.2.0_alpha154 (default/linux/amd64/10.0/developer, gcc-4.7.2, glibc-2.16.0, 3.7.1-gentoo-b-4.1 x86_64) ================================================================= System uname: Linux-3.7.1-gentoo-b-4.1-x86_64-Westmere_E56xx-L56xx-X56xx_-Nehalem-C-with-gentoo-2.2 KiB Mem: 2061516 total, 1600976 free KiB Swap: 0 total, 0 free Timestamp of tree: Unknown ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p42 dev-lang/python: 2.7.3-r3, 3.2.3-r2 dev-util/cmake: 2.8.10.2-r1 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.6.3, 4.7.2 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.16.0 Repositories: gentoo local xmw ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/spool/munin-async/.ssh" CONFIG_PROTECT_MASK="${EPREFIX}/etc/gconf /etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/var/cache/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms sign split-log strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/var/cache/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /var/lib/xmw-overlay" SYNC="cvs://xmw@cvs.gentoo.org:/var/cvsroot" USE="X a52 aac acl acpi alsa amd64 berkdb bindist bluetooth bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jbig jpeg lcms ldap libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds pppd python qt3support qt4 readline sdl session snmp spell sse sse2 ssl startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xcb xml xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7 3.2" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
stable openssl is not sufficient. unstable openssl and stable ldns does compile and run with openssh[ldns]
The current situation (using developer profile) needs manual use flags. openssh/openssl default to [bindist], which turns ecdsa support off in openssl. ldns defaults to [ecdsa], which depends on openssl ECDSA support -> this report. I have not tested the functionality of openssh/dnssec/ecdsa with ldns[-ecdsa].
I've tested 'ssh -v' with an remote DNS server (unbound on hund.fs.lmu.de) and SSHFP/DSA enabled hund.fs.lmu.de (debian) and SSHFP/RSA+DSA+ECDSA enabled spot.xmw.de (gentoo) USE="ecdsa ldns -bindist" emerge -av1 openssh openssl ldns works, i.e. marks found keys as "secure" USE="-ecdsa ldns bindist" emerge -av1 openssh openssl ldns works, i.e. marks found keys as "secure", __BUT__ uses the RSA key on the ECDSA enable box, asking for fingerprint confirmation. @robbat: I'd force ecdsa support upon users by depending on ldns[ecdsa] I haven't figured out why you depend on [ssl].
(In reply to comment #2) > The current situation (using developer profile) needs manual use flags. You're missing DEPEND "ecdsa? ( openssl[-bindist] )" (plain fact) and the current defaults are inconvenient. Sorry for the spam.
(In reply to comment #2) err, no, USE=bindist is not the default for any profile. release images manually include USE=bindist when building stages/etc..., but that's it.
InCVS.
This new dependency breaks using ldns[ecdsa] with OpenSSL 1.0.0r. Since 1.0.1 has unresolved vulnerabilities, can an || be added to build against the older version?
(In reply to Luke-Jr from comment #7) i don't know what vague "unresolved vulnerabilities" you're talking about. we're not updating 1.0.0 anymore and 1.0.1 is already stable.
