Upstream released a new version of OpenSSH. https://www.openssh.com/txt/release-7.7
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b74fc16d7b050757989bd8ebba1366e3b8eeda1 commit 9b74fc16d7b050757989bd8ebba1366e3b8eeda1 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-04-11 02:16:28 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-04-11 02:43:57 +0000 net-misc/openssh: Bump to v7.7_p1 Ebuild changes: =============== - HPN patch set updated to v14.14. MT AES CTR cipher are still not working at the moment but we are working on this. - SCTP patch updated for openssh-7.7_p1. - LDAP patch is currently not available because patch isn't compatble with openssh-7.7_p1 and needs a major rewrite because upstream removed auth_parse_options() via commit 7c8568576071. - X.509 patch updated to v11.3.1. - Previously, SCTP patch sometimes got applied even when "sctp" USE flag wasn't set, this is now fixed. - We now always expose applied patches in version string (previously this was only the case for some patches and was also depending on whether the "hpn" USE flag was enabled or not). - Make sure "/var/empty" gets preserved by package manager. [Bug 647034] - Runscript: "use" entropy. [Bug 470020] - Runscript: Use "/run" instead of "/var/run". [Bug 555734] - Runscript: Verify daemon is really up and running. [Bug 617596] - Runscript: Simplified (thanks to Michael Orlitzky) - Runscript: Add prefix support. [Bug 640666] - Runscript: It is now possible to pass any by start-stop-daemon supported arguments (like "--ionice" or "--nicelevel" for example) to start-stop-daemon. [Bug 636764] Closes: https://bugs.gentoo.org/470020 Closes: https://bugs.gentoo.org/555734 Closes: https://bugs.gentoo.org/617596 Closes: https://bugs.gentoo.org/636764 Closes: https://bugs.gentoo.org/640666 Closes: https://bugs.gentoo.org/647034 Closes: https://bugs.gentoo.org/652438 Package-Manager: Portage-2.3.28, Repoman-2.3.9 net-misc/openssh/Manifest | 4 + .../openssh/files/openssh-7.7_p1-GSSAPI-dns.patch | 351 ++++++++++++++++++ net-misc/openssh/files/sshd-r1.confd | 33 ++ net-misc/openssh/files/sshd.rc6.5 | 89 +++++ net-misc/openssh/openssh-7.7_p1.ebuild | 406 +++++++++++++++++++++ 5 files changed, 883 insertions(+)
>>> Running pre-merge checks for net-misc/openssh-7.7_p1 * Sorry, but this version does not yet support features * that you requested: ldap Then don't unmask the ebuild.
(In reply to Kobboi from comment #2) > >>> Running pre-merge checks for net-misc/openssh-7.7_p1 > * Sorry, but this version does not yet support features > * that you requested: ldap > > Then don't unmask the ebuild. Not everybody uses ldap :) It works perfectly fine for my use cases.
True, but with ldap being set in the "desktop" profile, I'm probably not going to be the only one hitting this :) It subsequently breaks my update script because of this failed pre-merge check. If the missing ldap support is about the ebuild not having it implemented yet, my opinion is that this should simply not have been pushed to the tree yet, but maybe that's just me.
commit 0a6777eea17921fd2fb1a27f5e9e222ac8a73ccb Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Apr 11 15:45:23 2018 package.use.mask: Masked "ldap" USE flag for >=openssh-7.7_p1
(In reply to Kobboi from comment #4) > True, but with ldap being set in the "desktop" profile, I'm probably not > going to be the only one hitting this :) It subsequently breaks my update > script because of this failed pre-merge check. If the missing ldap support > is about the ebuild not having it implemented yet, my opinion is that this > should simply not have been pushed to the tree yet, but maybe that's just me. In this case please fix your setup and make sure you either unset global "ldap" USE flag if you don't care about LDAP support in general or just unset it for openssh package. Let me share the reasons why openssh ebuild is actually doing it this way: SSH can be a critical service. Think about a remote system without physical access. You don't want that such a system updates to a new version without a feature you depend on. So we decided to make openssh fail with an error to allow the user to make a choice instead of silently drop a feature which can render a remote system inaccessible. The main mistake was to add such a custom feature in the past. Now we have to deal with it until we get rid of it... :/ But holding back a whole package for a purely optional feature is not an option, too. You see the dilemma? The package.use.mask for desktop profile is questionable, I would call it a bet: While improving "user experience" for desktop profile users we simply hope that nobody using desktop profile is depending on LDAP support in sshd. Because if you depend on LDAP support and therefore did everything right (i.e. you explicit enabled "ldap" USE flag for openssh package in your package.use configuration like written in the handbook) you are now doomed because due to the package.use.mask you won't notice and silently upgrade to new openssh without LDAP support so you might lose access to this box on service restart. So from my perspective it would be better to force all desktop profile users to take action and disable global "ldap" USE flag for openssh package. But time will show us if we won the bet or caused a major problem.
