Henson has quit [Remote host closed the connection]
Henson has joined #nixos-security
ok, here's a wrinkle in the openssh_hpn thing I was asking about earlier. I made a mistake in that hpnSupport=true uses version 7.8p1 of OpenSSH, and my CVE patches for 7.9p1 were not being enabled conditionally on the version being 7.9p1, which is why they weren't applying to the hpnSupport source.
but an underlying question still remains, do we keep the hpnSupport flag in the openssh package which automatically switches it back to version 7.8p1, do we move the hpnSupport logic into the openssh_hpn package which is forever stuck at 7.8p1, or do we just get rid of hpnSupport and openssh_hpn altogether?
I think what I'll do it this: make openssh_hpn a full derivation in its own right (not being an override of openssh with hpnSupport=true), and make openssh be 7.9p1 without the hpnSupport logic. That way it simplifies openssh, allows upstream patches to be applied easily, and will allow it to progress to version 8.0 at some point in time. If somebody later decides hpnSupport is no longer...
required and wants to remove it, then they just have to get rid of the openssh_hpn derivation and nothing else is affected.