[plug] file transfer performance linux/windows and filezilla

William Kenworthy billk at iinet.net.au
Wed May 12 07:25:40 WST 2004 

On Wed, 2004-05-12 at 06:23, Denis Brown wrote:
> How embarrassing.
yep ... :)
> <slightly off-thread>
> I see that OpenSSH is now at release 3.8p1 (portability branch) so the
> Debian 3.4p1-1.woody would seem to be a bit elderly.   However this might
> not be true, given that Debian and other distros seem to offer patches for
> existing releases.  Thus 3.4p1-1.woody might be much closer to 3.8p1 than
> the figures would suggest.   How do the from-source distibutions such as
> gentoo and crux deal with this?   Patching or outright fresh versions?
> </slightly o-t>
> 
> Cheers,
> Denis

Why bother doing the patch dance?  

gentoo just makes the latest fix release from the upstream source stable
after a suitable test period (very short if a serious security bug) 
openssh 3.8.1_p1 is marked "~x86" and is in testing ready to go.  gentoo
does patch, usually for functionality, rarely for security (though
kernels seem to be an exception to that) as the upstream source almost
always does that for you - its just gotta be tested first.

rattus root # emerge openssh -s
Searching...
[ Results for search key : openssh ]
[ Applications found : 1 ]
  
*  net-misc/openssh
      Latest version available: 3.8_p1
      Latest version installed: 3.8_p1
      Size of downloaded files: 934 kB
      Homepage:    http://www.openssh.com/
      Description: Port of OpenBSD's free SSH release
      License:     as-is

rattus root # ACCEPT_KEYWORDS="~x86" emerge openssh -s
Searching...
[ Results for search key : openssh ]
[ Applications found : 1 ]
  
*  net-misc/openssh
      Latest version available: 3.8.1_p1
      Latest version installed: 3.8_p1
      Size of downloaded files: 939 kB
      Homepage:    http://www.openssh.com/
      Description: Port of OpenBSD's free SSH release
      License:     as-is

Also, not sure how widespread the "knowledge" about checking gentoo for
sec updates is, but try emerge'ing gentools and run "glsa-check -l" to
check your system against all released security updates - still
experimental, but looks good so far.

One of the problems I see with binary distros is that patching older
code seems to create confusion - If see ssh 3.4 and immediately think
"insecure", and have to start looking up package versions to make sure
its ok.  With gentoo, you can usually (except for kernels) go by the
upstream providers bug<->version map to see if you are vulnerable or
not.  Much cleaner in IMHO.

For gentoo'ans, its also its possible to get the install history via
"genlop":

rattus root # genlop openssh

 * net-misc/openssh
 
     Thu Dec 26 16:44:02 2002 --> net-misc/openssh-3.5_p1
     Fri Dec 27 10:43:18 2002 --> net-misc/openssh-3.5_p1
     Wed Jan  8 00:17:11 2003 --> net-misc/openssh-3.5_p1
     Fri Jan 17 04:50:57 2003 --> net-misc/openssh-3.5_p1
     Sat May  3 07:49:17 2003 --> net-misc/openssh-3.6.1_p2
     Sat Aug 16 03:12:26 2003 --> net-misc/openssh-3.6.1_p2
     Mon Aug 25 21:02:28 2003 --> net-misc/openssh-3.6.1_p2
     Wed Sep 17 20:50:50 2003 --> net-misc/openssh-3.7.1_p1
     Thu Sep 18 18:57:43 2003 --> net-misc/openssh-3.7.1_p1
     Wed Sep 24 06:52:00 2003 --> net-misc/openssh-3.7.1_p2
     Mon Dec  8 09:41:09 2003 --> net-misc/openssh-3.7.1_p2-r1
     Sat Feb 28 10:34:08 2004 --> net-misc/openssh-3.7.1_p2-r2
     Mon Mar 29 23:35:09 2004 --> net-misc/openssh-3.7.1_p2-r2
     Sat Apr  3 11:18:11 2004 --> net-misc/openssh-3.7.1_p2-r2
     Fri Apr 30 22:24:33 2004 --> net-misc/openssh-3.8_p1

More information about the plug mailing list