#897950 [patch] curl: replace from libssh2 to libssh to improve security

Package:
curl
Source:
curl
Description:
command line tool for transferring data with URL syntax
Submitter:
Hideki Yamane
Date:
2021-12-26 17:27:03 UTC
Severity:
wishlist
Tags:
#897950#5
Date:
2018-05-05 05:33:26 UTC
From:
To:
package: curl
severity: wishlist
tags: patch

Hi,

 I've found Fedora28 introduced change in curl to use libssh, instead of
 libssh2. I thought it would be nice to change in Debian, too.
 See https://docs.fedoraproject.org/f28/release-notes/sysadmin/Security.html

 Patch attached.

#897950#12
Date:
2019-01-31 14:44:13 UTC
From:
To:
Hey there,

We would also like to see that for Ubuntu since libssh is in main,
switching would allow to also remove the debian/rules hack to disable
the sftp backend on Ubuntu.

Updated patch included

#897950#17
Date:
2020-06-29 08:31:28 UTC
From:
To:
Dear curl maintainer,

Is there a chance you would consider doing that change? Libssh is better
maintained and it would make sense

Thanks,

#897950#22
Date:
2021-12-26 12:39:56 UTC
From:
To:
Adding 897950@bugs.debian.org to CC, which is asking for curl's switch to libssh

Well, since we're here now, we should be good to actually switch curl
from libssh2 to libssh.

Anybody against it?

Regards,

#897950#27
Date:
2021-12-26 13:59:45 UTC
From:
To:
What the reason for the switch to begin with? The only reason state in 897950
seems to be "that's a better maintained library and other distributions
already switched to it".

1. How is it "a better maintained library" ?

2. Why does it matter what other distros have done? Surely other distros do
all sorts of crazy decisions all the time. Why is this particular one you
think is fine to follow?

#897950#32
Date:
2021-12-26 15:28:24 UTC
From:
To:
Dropping 1002597 from the discussion to focus on 897950.

Fedora's wiki states a few security improvements[0], though I didn't
double check whether those apply to curl's usage of ssh.

I assume this is judging by the amount of recent commits on both
projects, so it's not a perfect metric and it's gonna be hard to argue
for it in case of disagreement. My assumption might be wrong though
and the people who said it could have different metrics for it.

Let me try to describe where I stand.
By following other distros we benefit from a bigger userbase and thus
increased chances of receiving patches from those distros through
upstream. In the case of syncing with Ubuntu this is even better as
they're constantly sending patches back to us. It's a bit of a
symbiotic relationship cause they also don't wanna carry over deltas
from Debian.
It's also sometimes good to try to standardise the packages on a
certain library and focus on that, instead of maintaining multiple
ones. This is one of the reasons Ubuntu switched to libssh, though I
can't say yet if Debian will benefit from this as well (we usually
support multiple libraries).

This being said, these things don't weigh over "crazy decisions", so
we can always divert if we think it's the right thing.

Daniel, I won't rush this change and I value your input on this, as
both curl and libssh2's upstream, so feel free to take your time to
reply.

On my initial assessment I couldn't find considerable differences that
would weigh in favour of staying with libssh2, I did stumble upon your
blogposts talking about performance (libssh2 being better) but they
are a bit old and I'm not sure if it's still applicable.

From your message, I believe you are leaning towards sticking with
libssh2, and I would be happy to hear your thoughts on it.

[0] https://fedoraproject.org/wiki/Changes/libssh-in-libcurl

Thank you,

#897950#37
Date:
2021-12-26 17:22:40 UTC
From:
To:
I won't say they are, but it *could* be that some people involved there are
biased. Of course nobody asked me, but had they, I would have asked for
clarification on a lot of those points.

I feel that I'm not on a neutral ground here so I rather avoid taking sides at
all. I want the decision to based on sound and solid reasons by people who
understand them. Whatever direction it goes.

Yeah, I haven't done any such comparisons in many years. The situation is much
likely very different today.