RedHat forks OpenSSH?
Marc Aurele La France
tsi at ualberta.ca
Tue Nov 9 07:42:11 EST 2004
On Tue, 9 Nov 2004, Damien Miller wrote:
> It has just come to my notice that Redhat is planning to ship a
> forked version of OpenSSH. The change goes beyond the usual
> patches applied to RPMs in the build process: Redhat have built
> their own OpenSSH tarball and are using that in their source RPM
> instead of the official release distribution. If you are
> interested, have a look at the openssh-3.9p1-7.src.rpm from the
> Fedora development/ directory.
> This source tarball is modified from the official portable
> OpenSSH distribution. It does not have a digital signature, an
> independent download site or even a basic list of changes. From
> diffing this source against the official release, it appears that
> the only change is deletion of files related to the experimental
> ACSS cipher. It is unclear why Redhat has chosen to do this: the
> cipher is disabled by default and their own Cygwin product has
> shipped these same files for many months, as have many other
> Linux distributions.
> Nobody disputes Redhat's right to fork OpenSSH, but why does
> Redhat not make their desired changes through the standard RPM
> patching mechanism? By distributing their own OpenSSH tarballs
> instead of patching pristine sources, Redhat breaks the link of
> transparency, accountability and trust that their own RPM build
> model is supposed to provide.
> We are also curious as to the extent that the community was
> involved in this decision; OpenSSH is developed by volunteers and
> Fedora is at least ostensibly a community effort. The OpenSSH
> developers were not contacted and there does not appear to have
> been any discussion of the change on any public mailing list.
> Even the RPM Changelog entry "disable ACSS support" greatly
> understates the nature of the change. It appears that the
> community was not consulted at all and that this change was made
> unilaterally by Redhat, with no explanation.
> The OpenSSH developers have neither the time nor the desire to
> investigate the changes Redhat makes to OpenSSH under the cover
> of their modified source tarball. As such, we will be forced to
> disregard support requests from users of Redhat or Fedora
> systems. Security conscious users are advised to audit the Redhat
> changes themselves (for each RPM release) or build OpenSSH from
> the original sources.
> We consider it very disappointing that Redhat has decided to
> effectively fork OpenSSH without consulting the OpenSSH
> developers or their own community. It is not too late for Redhat
> to reconsider, or for the community to urge them to do so.
> Regards,
> Damien Miller
Welcome to the world of "Open Source", as defined by RedHat.
XFree86 has already suffered the same fate.
Marc.
+----------------------------------+-----------------------------------+
| Marc Aurele La France | work: 1-780-492-9310 |
| Computing and Network Services | fax: 1-780-492-1729 |
| 352 General Services Building | email: tsi at ualberta.ca |
| University of Alberta +-----------------------------------+
| Edmonton, Alberta | |
| T6G 2H1 | Standard disclaimers apply |
| CANADA | |
+----------------------------------+-----------------------------------+
XFree86 developer and VP. ATI driver and X server internals.
More information about the openssh-unix-dev
mailing list