SRP Patch Integration?

[Tom Wu]

Theo de Raadt wrote:
> 
> Don't you get it do you?  We don't investigate if there is a threat.
> We assume the worst.  We're not stupid enough to play some stupid game
> with possible future legal outcomes.

But that's the problem with assumptions - they may be wrong.  And when
you refuse to listen to evidence that the threat is in fact identical to
existing threats (e.g. DSA) that you have deemed acceptable, it tends to
call into question the judgement of the person making that assuption.

> I tried to explain very clearly why we are not integrating the code,
> but Tom persists in trying to blame me for making the decision
> unsoundly.  

I believe that decision *is* unsound, primarily because you've seemingly
made up your mind based on inaccurate information, broad
generalizations, and double standards.  For someone who constantly
demands that people write code and improve OpenSSH instead of
complaining, your attitude given that somebody *has* written the code
is, to put it mildly, counterproductive.

> I am making a safe decision -- SRP does not provide enough
> benefit considering possible legal risks.  I wish there was no risk.
> Your statement of there being no risk is not enough.  Sorry.

Is it ever really safe to stagnate in the software industry?  Even Open
Source software has to innovate, if it wants to compete effectively with
Closed Source projects, not to mention other OSS projects.

Theo, if you don't want to respond to me, that's your perogative.  I'd
like to hear the opinions of other OpenSSH developers on the list,
though.

Tom
-- 
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg?  Sounds Swedish..."