OpenSSH 3.4p1 - compilation problem on Linux

Darren Tucker dtucker at zip.com.au
Fri Jun 28 00:49:07 EST 2002


Christian Vogel wrote:
> The question is if it is wise to grab such security
> sensitive things like the ssh-server from just somewhere...?
>  
> On the other hand it should be made very easy for people
> to upgrade, and maybe some people don't want to rpm -ba/--rebuild
> or don't even hava a compiler on their web/dns/... server?
> 
> Is there some official policy encouraging<sp?> people
> to contrinute binaries... or to refrain from it?

This in no way constitutes policy, official or otherwise, but:

I contributed the scripts to allow anyone to build AIX native packages.
I later started to offer pre-packaged binaries. I recommend people don't
use them and build their own instead (and it says so, right on the
download page), but I offer them because:

a) I can. I have to build the packages anyway, putting them up is little
effort.

b) The previous source (Bull Freeware) seems to have stopped offering
updates. Their latest offering is 3.0.2p1. I'd rather have people
running my 3.4p1 packages than someone else's 3.0.2p1.

c) I've offered them to a couple of people and they accepted.

The binaries have detached gpg signatures to mitigate the risk of
third-party tampering.  (Obviously it doesn't stop first party tampering
:-)  To date, they've been downloaded from 9 distinct IPs; 2 of those
also downloaded the signatures.

So wise or not, people seem to do it.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list