From 5c67f0675cf258640b508a7385ade676f4c3a407 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@chiark.greenend.org.uk>
Date: Sun, 27 May 2012 20:12:12 +0100
Subject: [PATCH] OpenSSH 6.0p1

---
 2012-05-27-openssh-6.0p1.txt | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 2012-05-27-openssh-6.0p1.txt

diff --git a/2012-05-27-openssh-6.0p1.txt b/2012-05-27-openssh-6.0p1.txt
new file mode 100644
index 00000000..1829b830
--- /dev/null
+++ b/2012-05-27-openssh-6.0p1.txt
@@ -0,0 +1,9 @@
+OpenSSH 6.0p1
+
+<p>OpenSSH 6.0p1 was <a href="http://www.openssh.com/txt/release-6.0">released</a> a little while back; this weekend I belatedly got round to uploading packages of it to Debian unstable and Ubuntu quantal.</p>
+
+<p>I was a bit delayed by needing to put together an <a href="https://bugzilla.mindrot.org/show_bug.cgi?id=2011">improvement to privsep sandbox selection</a> that particularly matters in the context of distributions.  One of the experts on seccomp_filter has commented favourably on it, but I haven't yet had a comment from upstream themselves, so I may need to refine this depending on what they say.</p>
+
+<p>(This is a good example of how it matters that software is often not built on the system that it's going to run on, and in particular that the kernel version is rather likely to be different.  Where possible it's always best to detect kernel capabilities at run-time rather than at build-time.)</p>
+
+<p>I didn't make it very clear in the changelog, but using the new seccomp_filter sandbox currently requires <code>UsePrivilegeSeparation sandbox</code> in sshd_config as well as a capable kernel.  I won't change the default here in advance of upstream, who still consider privsep sandboxing experimental.</p>
-- 
2.30.2