ssh-audit
ssh-audit copied to clipboard
jtesta
Ubuntu 20.10 - Current ssh-audit package is 2.2.0
ssh-audit on Ubuntu 20.10 is currently at version 2.2.0, the maintainer is the Ubuntu MOTU Developers, see: https://packages.ubuntu.com/groovy/ssh-audit
I think that the Ubuntu MOTU Developers pull the package from Debian, which is maintained by ChangZhuo Chen, see: https://tracker.debian.org/pkg/ssh-audit
Does anyone understand what's preventing ChangZhuo Chen from packaging ssh-audit 2.3.1?
On Sat, 2021-01-23 at 16:11 -0800, thecliguy wrote:
Does anyone understand what's preventing ChangZhuo Chen from packaging ssh-audit 2.3.1?
I reached out to him before (several times) to convince him to upgrade to my fork. After that, I figured I should stop pestering him. But hey... if you want to nudge him about v2.3.1, I won't stop you. ;)
You could also mention that the project switched to setuptools to make maintenance easier.
-- Joseph S. Testa II Founder & Principal Security Consultant Positron Security
@czchen Please can you advise how often ssh-audit is updated in Debian unstable?
The current package in Debian unstable is 2.2.0, whereas the most recent release of ssh-audit is 2.3.1.
Please also see the comment above from Joe Testa that the project has switched to setuptools to make maintenance easier.
FYI - Today I raised a ticket with Debian asking if there are any issues preventing new upstream versions of ssh-audit from being packaged and added to Debian unstable.
@jtesta Unfortunately there's been no reply to the ticket I opened on 24th February.
So we don't know why the current package maintainer for Debian has stopped packaging new versions of ssh-audit... Is it due to a technical problem, has he just got behind due to lack of time, or has he permanently retired as the maintainer...?
I've emailed you the link to the ticket if you want to take a look.
Do you have any ideas how to progress this? Do you know anyone with Debian packaging experience that could take over as maintainer?
Last time I looked into it, it seemed like I'd have to apply to become a Debian member in order to be the official maintainer. I don't recall off-hand what kind of effort that requires (either up-front, or ongoing). I suppose I'll add this mini research project to my to-do list.
That said, if you or someone else wanted to pursue this avenue, I wouldn't mind!
For what its worth it appears that ssh-audit has been updated to 2.5 in Ubuntu Jammy
https://packages.ubuntu.com/jammy/ssh-audit
I downloaded the package and installed on an Bionic 18.04 test box.
List of mirrors can be found here https://packages.ubuntu.com/jammy/all/ssh-audit/download
It's great to see that v2.5.0 of ssh-audit which was released on 26 Aug 2021 was quickly packaged into Debian unstable just three days later on 29 Aug 2021 (according to the newsfeed on the Debian Package Tracker and the unstable change log). This then appeared to be adopted downstream by Ubuntu into 22.04 LTS (Jammy Jellyfish) on 29 Oct 2021.
@jtesta - I logged a ticket (983483) back in Feb 2021 because at that time the unstable branch of Debian was lagging several versions behind. You'll see that I did actually get a reply from Barak A. Pearlmutter (a Debian Developer) who submitted a PR to update the Debian packaging scripts but from what I can tell his changes were never accepted by ChangZhuo Chen, see Update Packaging. Do you have any idea whether Barak's PR is still relevant? Would it help ensure that ssh-audit is kept up-to-date in Debian unstable?
Looks like this was fixed in Ubuntu 22.04 LTS: https://packages.ubuntu.com/source/jammy/ssh-audit
Thanks @thecliguy for following through with this!