Ticket #16911 (closed defect: fixed)
git-core requiring macports' ssh on leopard, openssh security concern
|Reported by:||bcbarnes@…||Owned by:||macports-tickets@…|
|Keywords:||Cc:||maccheck@…, bryan@…, nox@…|
I recently installed git-core via macports on OS X 10.5.5 (intel). macports 1.6.0 recently selfupdate'd.
As a dependency, the port openssh was installed. Due to the way the postflight script sets paths, /opt/local/bin is searched before /usr/bin . Therefore, ssh and ssh-keygen from the openssh port are used by default instead of the OS X ssh utilities.
This raises two concerns:
- Security. If a vulnerability in ssh leads to an intrusion on my local machine, my company can blame Apple, or Apple can provide security patches in a timely fashion. Relying on macports for system security is not a preferred situation.
- Why was this needed at all? In Tiger or Leopard, ssh is available by default. The openssh port should not be installed on Leopard if the normal system ssh may simply be used instead. It takes up disk space for no reason.
I really, really do not like macports hijacking a system utility related to security. At the very worst, the openssh port should install its binaries with names such as ssh-mp (for -macports), similar to how the gcc42/gcc43 ports install their compilers with a -mp extension. Then ports which must use the openssh port instead of the system ssh could reference the renamed executables.
Thanks for reading.
comment:15 Changed 5 years ago by blb@…
- Status changed from new to closed
- Resolution set to fixed
- Port set to git-core