Hello Group,
The latest rpm in openssh is 5.8, however, the corresponding latest rpm available in centos 5.7 is only
openssh-4.3p2-72.el5_6.3.x86_64.rpm
and in 6.0 centos is
openssh-5.3p1-20.el6.x86_64.rpm
I have following questions.
1. I want to start from src.rpm and where can I get the src.rpm for openssh-5.3p1-20.el6.x86_64.rpm.
2. Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos without causing any problems.
3. Which of these two rpms will be most compatible with latest openssh rpm version 5.8.
Please let me know. It is important for my work.
Any help will be greatly appreciated.
On Wed, Mar 28, 2012 at 9:05 PM, Vinay Nagrik vnagrik@gmail.com wrote:
Hello Group,
The latest rpm in openssh is 5.8, however, the corresponding latest rpm available in centos 5.7 is only openssh-4.3p2-72.el5_6.3.x86_64.rpm and in 6.0 centos is openssh-5.3p1-20.el6.x86_64.rpm
I have following questions.
- I want to start from src.rpm and where can I get the src.rpm for
openssh-5.3p1-20.el6.x86_64.rpm. 2. Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos without causing any problems. 3. Which of these two rpms will be most compatible with latest openssh rpm version 5.8.
Please let me know. It is important for my work.
Any help will be greatly appreciated. Nagrik
You may want to read about how Redhat and thus CentOS handles package versions with regard to security patches, etc... There is information here: https://access.redhat.com/security/updates/backporting/
As for obtaining the most recent version of openssh for other reasons (such as features), it is strongly recommended against compiling your own, and instead installing the package from another publicly accepted repository, such as EPEL or RepoForge. Any packages on there have already been compiled and tested to work with your version of CentOS. I would avoid installing the C6 version of openssh on C5, and instead make sure to get the proper package meant for C5.
❧ Brian Mathis
On 03/28/2012 08:05 PM, Vinay Nagrik wrote:
Hello Group,
The latest rpm in openssh is 5.8, however, the corresponding latest rpm available in centos 5.7 is only
openssh-4.3p2-72.el5_6.3.x86_64.rpm
and in 6.0 centos is
openssh-5.3p1-20.el6.x86_64.rpm
I have following questions.
- I want to start from src.rpm and where can I get the src.rpm for
openssh-5.3p1-20.el6.x86_64.rpm.
- Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos
without causing any problems.
If you rebuild it, if it rebuilds, and if you rebuild anything that depends on the old one, then yes. It may not build without newer "buildrequires" being met though. And now, every time there is an upgrade, you have to remember to get the new one and rebuild again. You also have to track any changes of the new "buildrequires" that you had to build.
- Which of these two rpms will be most compatible with latest openssh rpm
version 5.8.
They are all compatible ... I don't think any is more compatible than another.
Please let me know. It is important for my work.
Any help will be greatly appreciated.
Unless you are going to look at the CVE website every day for ssh vulnerabilities and roll in patches or get new code from openssh directly for every one, then you want to stay with what is in the distro.
Red Hat uses backporting for security issues:
https://access.redhat.com/security/updates/backporting/
If you rebuild a new ssh, you will also have to rebuild any packages that are built against the old openssh against the new openssh.
If you are concerned about security ... that is the whole purpose of enterprise linux ... it backports security patches for 10 years while maintaining consistent APIs/ABIs.
If you want the latest packages on your machine, then you want Fedora and not CentOS.
Johnny Hughes wrote:
On 03/28/2012 08:05 PM, Vinay Nagrik wrote:
The latest rpm in openssh is 5.8, however, the corresponding latest rpm available in centos 5.7 is only openssh-4.3p2-72.el5_6.3.x86_64.rpm and in 6.0 centos is openssh-5.3p1-20.el6.x86_64.rpm
I have following questions.
- I want to start from src.rpm and where can I get the src.rpm for
openssh-5.3p1-20.el6.x86_64.rpm.
- Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos
without causing any problems.
If you rebuild it, if it rebuilds, and if you rebuild anything that depends on the old one, then yes. It may not build without newer "buildrequires" being met though. And now, every time there is an upgrade, you have to remember to get the new one and rebuild again. You also have to track any changes of the new "buildrequires" that you had to build.
- Which of these two rpms will be most compatible with latest openssh
rpm version 5.8.
<snip>
If you rebuild a new ssh, you will also have to rebuild any packages that are built against the old openssh against the new openssh.
If you are concerned about security ... that is the whole purpose of enterprise linux ... it backports security patches for 10 years while maintaining consistent APIs/ABIs.
If you want the latest packages on your machine, then you want Fedora and not CentOS.
Well... I can see it. We had to build a newer package for 5.x, because we *had* to have PIV-II/pkcs11 support. That's *just* come in with 6.2, to be able to log in with a smart card. Even so, there's a bug/enhancement (and my manager has this in w/ Redhat, and it's been escalated) needed, that it insists on showing the userlist of recent logins.
mark
On 03/29/2012 09:56 AM, m.roth@5-cent.us wrote:
Johnny Hughes wrote:
On 03/28/2012 08:05 PM, Vinay Nagrik wrote:
The latest rpm in openssh is 5.8, however, the corresponding latest rpm available in centos 5.7 is only openssh-4.3p2-72.el5_6.3.x86_64.rpm and in 6.0 centos is openssh-5.3p1-20.el6.x86_64.rpm
I have following questions.
- I want to start from src.rpm and where can I get the src.rpm for
openssh-5.3p1-20.el6.x86_64.rpm.
- Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos
without causing any problems.
If you rebuild it, if it rebuilds, and if you rebuild anything that depends on the old one, then yes. It may not build without newer "buildrequires" being met though. And now, every time there is an upgrade, you have to remember to get the new one and rebuild again. You also have to track any changes of the new "buildrequires" that you had to build.
- Which of these two rpms will be most compatible with latest openssh
rpm version 5.8.
<snip> > If you rebuild a new ssh, you will also have to rebuild any packages > that are built against the old openssh against the new openssh. > > If you are concerned about security ... that is the whole purpose of > enterprise linux ... it backports security patches for 10 years while > maintaining consistent APIs/ABIs. > > If you want the latest packages on your machine, then you want Fedora > and not CentOS. Well... I can see it. We had to build a newer package for 5.x, because we *had* to have PIV-II/pkcs11 support. That's *just* come in with 6.2, to be able to log in with a smart card. Even so, there's a bug/enhancement (and my manager has this in w/ Redhat, and it's been escalated) needed, that it insists on showing the userlist of recent logins.
And this can be the case ... they will roll back security items, but there will be some new functionality that is not rolled back.
If you really need some new function, then yes, a rebuild is in order.
That entails all the things I outlined above though ... figuring out "what else" you need to build first to use as a "BuildRequires", figure out what you have to build after because they depend on the built Share libraries of the package (or one they depend on one of your Newer BuildRequires that you needed). Then you need to set up a method to track all the "out of band" packages that you are adding so you keep them up2date.
This can sometimes just be the package in question ... but sometimes it can be a whole bunch of other packages too ... for example, if you built a newer openssl, you would also need to rebuild all of these afterwards (which build against openssl):
[hughesjr@localhost SRPMS]$ for srpms in $(ls *.src.rpm); do is_openssl=$(rpm -qp --requires $srpms | grep openssl); if [ "$is_openssl" != "" ]; then echo $srpms; fi; done authd-1.4.3-14.src.rpm autofs-5.0.1-0.rc2.163.el5.src.rpm bind-9.3.6-20.P1.el5.src.rpm bind97-9.7.0-6.P2.el5_7.4.src.rpm certmonger-0.50-3.el5.src.rpm clustermon-0.12.1-7.el5.centos.src.rpm conga-0.12.2-51.el5.centos.src.rpm crypto-utils-2.3-2.el5.src.rpm curl-7.15.5-15.el5.src.rpm cyrus-imapd-2.3.7-12.el5_7.2.src.rpm cyrus-sasl-2.1.22-5.el5_4.3.src.rpm desktop-printing-0.19-20.2.el5.src.rpm distcache-1.4.5-14.1.src.rpm dovecot-1.0.7-7.el5_7.1.src.rpm ecryptfs-utils-75-8.el5.src.rpm elinks-0.11.1-6.el5_4.1.src.rpm epic-2.4-1.src.rpm evolution-connector-2.12.3-11.el5.src.rpm evolution-data-server-1.12.3-18.el5.src.rpm exim-4.63-10.el5.src.rpm fetchmail-6.3.6-4.el5.src.rpm fipscheck-1.2.0-1.el5.src.rpm freeradius-1.1.3-1.6.el5.src.rpm freeradius2-2.1.12-3.el5.src.rpm gftp-2.0.18-3.2.2.src.rpm gnome-vfs2-2.16.2-8.el5.src.rpm hplip-1.6.7-6.el5_6.1.src.rpm hplip3-3.9.8-11.el5_6.1.src.rpm htdig-3.2.0b6-11.el5.src.rpm httpd-2.2.3-63.el5.centos.src.rpm ipsec-tools-0.6.5-14.el5_5.5.src.rpm iscsi-initiator-utils-6.2.0.872-13.el5.src.rpm isns-utils-0.93-1.0.el5.src.rpm java-1.6.0-openjdk-1.6.0.0-1.24.1.10.4.el5.src.rpm kdelibs-3.5.4-26.el5.centos.1.src.rpm kdenetwork-3.5.4-13.el5_6.1.src.rpm libc-client-2004g-2.2.1.src.rpm libdbi-drivers-0.8.1a-1.2.2.src.rpm libgnomeprint22-2.12.1-10.el5.src.rpm libwvstreams-4.2.2-2.1.src.rpm lynx-2.8.5-28.1.el5_2.1.src.rpm m2crypto-0.16-8.el5.src.rpm mod_authz_ldap-0.26-11.el5.src.rpm mutt-1.4.2.2-3.0.2.el5.src.rpm mysql-5.0.77-4.el5_6.6.src.rpm neon-0.25.5-10.el5_4.1.src.rpm net-snmp-5.3.2.2-17.el5.src.rpm NetworkManager-0.7.0-13.el5.src.rpm nmap-4.11-2.src.rpm nss_ldap-253-49.el5.src.rpm ntp-4.2.2p1-15.el5.centos.1.src.rpm openCryptoki-2.2.4-25.el5.src.rpm openhpi-2.14.0-5.el5.src.rpm OpenIPMI-2.0.16-12.el5.src.rpm openldap-2.3.43-25.el5.src.rpm openldap24-libs-2.4.23-5.el5.src.rpm openssh-4.3p2-82.el5.src.rpm pam_ccreds-3-5.src.rpm perl-Crypt-SSLeay-0.51-11.el5.src.rpm perl-Net-SSLeay-1.30-4.fc6.src.rpm php-5.1.6-32.el5.src.rpm php53-5.3.3-5.el5.src.rpm postfix-2.3.3-2.3.el5_6.src.rpm postgresql-8.1.23-1.el5_7.3.src.rpm postgresql84-8.4.9-1.el5_7.1.src.rpm postgresql-odbc64-09.00.0200-1.el5.src.rpm pwlib-1.10.1-7.0.1.el5.src.rpm pyOpenSSL-0.6-2.el5.src.rpm python-2.4.3-46.el5.src.rpm python-ldap-2.2.0-2.1.src.rpm qspice-0.3.0-54.el5_5.2.src.rpm quota-3.13-5.el5.src.rpm rdesktop-1.6.0-7.src.rpm ruby-1.8.5-24.el5.src.rpm samba-3.0.33-3.37.el5.src.rpm samba3x-3.5.10-0.107.el5.src.rpm sblim-1-49.el5.src.rpm scribus-1.3.3.2-3.el5.src.rpm sendmail-8.13.8-8.1.el5_7.src.rpm slrn-0.9.8.1pl1-1.2.2.src.rpm spamassassin-3.3.1-2.el5.src.rpm spice-client-0.8.1-6.el5.src.rpm squid-2.6.STABLE21-6.el5.src.rpm stunnel-4.15-2.el5.1.src.rpm tcpdump-3.9.4-15.el5.src.rpm tn5250-0.17.3-6.src.rpm tog-pegasus-2.11.0-3.el5.src.rpm tpm-tools-1.3.1-1.el5.src.rpm trousers-0.3.1-4.el5.src.rpm vsftpd-2.0.5-24.el5.src.rpm w3m-0.5.1-18.el5.src.rpm wget-1.11.4-2.el5_4.1.src.rpm wireshark-1.0.15-1.el5_6.4.src.rpm wpa_supplicant-0.5.10-9.el5.src.rpm wvdial-1.54.0-5.2.2.1.src.rpm x3270-3.3.4p7-3.el5.4.src.rpm xchat-2.6.6-8.el5.src.rpm xmlsec1-1.2.9-8.1.2.src.rpm
So, this can be very challenging.
On Mar 29, 2012, at 11:39 AM, Johnny Hughes johnny@centos.org wrote:
On 03/29/2012 09:56 AM, m.roth@5-cent.us wrote:
Johnny Hughes wrote:
On 03/28/2012 08:05 PM, Vinay Nagrik wrote:
The latest rpm in openssh is 5.8, however, the corresponding latest rpm available in centos 5.7 is only openssh-4.3p2-72.el5_6.3.x86_64.rpm and in 6.0 centos is openssh-5.3p1-20.el6.x86_64.rpm
I have following questions.
- I want to start from src.rpm and where can I get the src.rpm for
openssh-5.3p1-20.el6.x86_64.rpm.
- Can I install openssh-5.3p1-20.el6.x86_64.rpm SAFELY with 5.7 centos
without causing any problems.
If you rebuild it, if it rebuilds, and if you rebuild anything that depends on the old one, then yes. It may not build without newer "buildrequires" being met though. And now, every time there is an upgrade, you have to remember to get the new one and rebuild again. You also have to track any changes of the new "buildrequires" that you had to build.
- Which of these two rpms will be most compatible with latest openssh
rpm version 5.8.
<snip> > If you rebuild a new ssh, you will also have to rebuild any packages > that are built against the old openssh against the new openssh. > > If you are concerned about security ... that is the whole purpose of > enterprise linux ... it backports security patches for 10 years while > maintaining consistent APIs/ABIs. > > If you want the latest packages on your machine, then you want Fedora > and not CentOS. Well... I can see it. We had to build a newer package for 5.x, because we *had* to have PIV-II/pkcs11 support. That's *just* come in with 6.2, to be able to log in with a smart card. Even so, there's a bug/enhancement (and my manager has this in w/ Redhat, and it's been escalated) needed, that it insists on showing the userlist of recent logins.
And this can be the case ... they will roll back security items, but there will be some new functionality that is not rolled back.
If you really need some new function, then yes, a rebuild is in order.
That entails all the things I outlined above though ... figuring out "what else" you need to build first to use as a "BuildRequires", figure out what you have to build after because they depend on the built Share libraries of the package (or one they depend on one of your Newer BuildRequires that you needed). Then you need to set up a method to track all the "out of band" packages that you are adding so you keep them up2date.
This can sometimes just be the package in question ... but sometimes it can be a whole bunch of other packages too ... for example, if you built a newer openssl, you would also need to rebuild all of these afterwards (which build against openssl):
[hughesjr@localhost SRPMS]$ for srpms in $(ls *.src.rpm); do is_openssl=$(rpm -qp --requires $srpms | grep openssl); if [ "$is_openssl" != "" ]; then echo $srpms; fi; done authd-1.4.3-14.src.rpm autofs-5.0.1-0.rc2.163.el5.src.rpm bind-9.3.6-20.P1.el5.src.rpm bind97-9.7.0-6.P2.el5_7.4.src.rpm certmonger-0.50-3.el5.src.rpm clustermon-0.12.1-7.el5.centos.src.rpm conga-0.12.2-51.el5.centos.src.rpm crypto-utils-2.3-2.el5.src.rpm curl-7.15.5-15.el5.src.rpm cyrus-imapd-2.3.7-12.el5_7.2.src.rpm cyrus-sasl-2.1.22-5.el5_4.3.src.rpm desktop-printing-0.19-20.2.el5.src.rpm distcache-1.4.5-14.1.src.rpm dovecot-1.0.7-7.el5_7.1.src.rpm ecryptfs-utils-75-8.el5.src.rpm elinks-0.11.1-6.el5_4.1.src.rpm epic-2.4-1.src.rpm evolution-connector-2.12.3-11.el5.src.rpm evolution-data-server-1.12.3-18.el5.src.rpm exim-4.63-10.el5.src.rpm fetchmail-6.3.6-4.el5.src.rpm fipscheck-1.2.0-1.el5.src.rpm freeradius-1.1.3-1.6.el5.src.rpm freeradius2-2.1.12-3.el5.src.rpm gftp-2.0.18-3.2.2.src.rpm gnome-vfs2-2.16.2-8.el5.src.rpm hplip-1.6.7-6.el5_6.1.src.rpm hplip3-3.9.8-11.el5_6.1.src.rpm htdig-3.2.0b6-11.el5.src.rpm httpd-2.2.3-63.el5.centos.src.rpm ipsec-tools-0.6.5-14.el5_5.5.src.rpm iscsi-initiator-utils-6.2.0.872-13.el5.src.rpm isns-utils-0.93-1.0.el5.src.rpm java-1.6.0-openjdk-1.6.0.0-1.24.1.10.4.el5.src.rpm kdelibs-3.5.4-26.el5.centos.1.src.rpm kdenetwork-3.5.4-13.el5_6.1.src.rpm libc-client-2004g-2.2.1.src.rpm libdbi-drivers-0.8.1a-1.2.2.src.rpm libgnomeprint22-2.12.1-10.el5.src.rpm libwvstreams-4.2.2-2.1.src.rpm lynx-2.8.5-28.1.el5_2.1.src.rpm m2crypto-0.16-8.el5.src.rpm mod_authz_ldap-0.26-11.el5.src.rpm mutt-1.4.2.2-3.0.2.el5.src.rpm mysql-5.0.77-4.el5_6.6.src.rpm neon-0.25.5-10.el5_4.1.src.rpm net-snmp-5.3.2.2-17.el5.src.rpm NetworkManager-0.7.0-13.el5.src.rpm nmap-4.11-2.src.rpm nss_ldap-253-49.el5.src.rpm ntp-4.2.2p1-15.el5.centos.1.src.rpm openCryptoki-2.2.4-25.el5.src.rpm openhpi-2.14.0-5.el5.src.rpm OpenIPMI-2.0.16-12.el5.src.rpm openldap-2.3.43-25.el5.src.rpm openldap24-libs-2.4.23-5.el5.src.rpm openssh-4.3p2-82.el5.src.rpm pam_ccreds-3-5.src.rpm perl-Crypt-SSLeay-0.51-11.el5.src.rpm perl-Net-SSLeay-1.30-4.fc6.src.rpm php-5.1.6-32.el5.src.rpm php53-5.3.3-5.el5.src.rpm postfix-2.3.3-2.3.el5_6.src.rpm postgresql-8.1.23-1.el5_7.3.src.rpm postgresql84-8.4.9-1.el5_7.1.src.rpm postgresql-odbc64-09.00.0200-1.el5.src.rpm pwlib-1.10.1-7.0.1.el5.src.rpm pyOpenSSL-0.6-2.el5.src.rpm python-2.4.3-46.el5.src.rpm python-ldap-2.2.0-2.1.src.rpm qspice-0.3.0-54.el5_5.2.src.rpm quota-3.13-5.el5.src.rpm rdesktop-1.6.0-7.src.rpm ruby-1.8.5-24.el5.src.rpm samba-3.0.33-3.37.el5.src.rpm samba3x-3.5.10-0.107.el5.src.rpm sblim-1-49.el5.src.rpm scribus-1.3.3.2-3.el5.src.rpm sendmail-8.13.8-8.1.el5_7.src.rpm slrn-0.9.8.1pl1-1.2.2.src.rpm spamassassin-3.3.1-2.el5.src.rpm spice-client-0.8.1-6.el5.src.rpm squid-2.6.STABLE21-6.el5.src.rpm stunnel-4.15-2.el5.1.src.rpm tcpdump-3.9.4-15.el5.src.rpm tn5250-0.17.3-6.src.rpm tog-pegasus-2.11.0-3.el5.src.rpm tpm-tools-1.3.1-1.el5.src.rpm trousers-0.3.1-4.el5.src.rpm vsftpd-2.0.5-24.el5.src.rpm w3m-0.5.1-18.el5.src.rpm wget-1.11.4-2.el5_4.1.src.rpm wireshark-1.0.15-1.el5_6.4.src.rpm wpa_supplicant-0.5.10-9.el5.src.rpm wvdial-1.54.0-5.2.2.1.src.rpm x3270-3.3.4p7-3.el5.4.src.rpm xchat-2.6.6-8.el5.src.rpm xmlsec1-1.2.9-8.1.2.src.rpm
So, this can be very challenging.
I think when substituting core packages it's better to root the substitutes in /usr/local, use tagged init scripts and employ the 'alternatives' feature instead of trying to replace the core packages, their dependencies and dependents.
Then both can be installed and the operator can switch from one to the other as necessary.
-Ross
-
Brian Mathis -
Johnny Hughes -
m.roth@5-cent.us -
Ross Walker -
Vinay Nagrik