[ssh_x509] please split up the x509 patch

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Feb 8 23:45:57 EET 2016

On Mon, Feb 8, 2016 at 1:00 PM, <ssh_x509 at roumenpetrov.info> wrote:

> ssh_x509 at roumenpetrov.info wrote:
>> the x509 patch has picked up a number of changes unrelated to x509.
>> some quick, but certainly not complete, examples:
>>   - openssl configure flag deleted
> PKIX-SSH requires openssl (or a fork). Is is useless to request support
> X.509 public key algorithms without cryptographic library that could manage
> them.

that's irrelevant.  if you want to require openssl, then in the x509
configure part, simply detect the flag the user specified earlier.  if they
try to disable openssl but enable x509, then thrown an error with
AC_MSG_ERROR and force them to fix their invalid combinations.

Unfortunately --with options support arguments and 90% of developers miss
> this fact. Autoconf documentation is confusing as samples does t not show
> that functionality.
> What if user try to configure with --with-openssl=useit?
> More correct is to use --disable-feature , i.e. macro AC_ARG_ENABLE.

that isn't x509's problem.  if you want to rename things, then please send
changes like this to upstream instead of applying your own (unrelated to
x509) changes to the codebase.

I would like to propose you to apply modify openssh to use more precise
> option - see attached file
> "0003-configure.ac-use-enable-ssh1-instead-ambiguous-with-.patch" with patch

i have no interested in maintaining more patches to openssh.  the point is
to converge, not diverge.  especially when the patches are largely
pointless for the end user.

  - tcp-wrapper support re-added (after upstream dropped it)
> It never was not default option so I'm not sure what is issue here.

it isn't part of x509, so it doesn't belong in the patchset

if you want to make changes to support more stuff, that's fine, but
>> please release a "core" or "minimal" x509 patchset that *only* adds
>> x509 features.
> Release logic is changed with version 8.0. This version is first one that
> distributes complete source package. There will be no more X.509 patch. For
> reference I will continue publish difference between PKIX-SSH and OpenSSH
> using old file naming convention.

that'll make my life easier in Gentoo i suppose as i can simply delete x509
and make users find/build it themselves.

HPN and GSSAPI are not managed any more. Unfortunately I'm not able to add
> some of functionality of those patches to PKIX-SSH.

HPN is still managed/updated

More information about the ssh_x509 mailing list