RedHat forks OpenSSH?

Stephen Frost sfrost at snowman.net
Tue Nov 9 13:40:54 EST 2004


* Ben Lindstrom (mouring at etoh.eviladmin.org) wrote:
> Impolite in the fact they take a clean tar ball physically remove code
> from it instead of using the native RPM patch methology.  Thus you have an
> unsignable and unverifiable *.tar.gz file within the srpm.

Removing it using RPM doesn't remove the problem files from the servers
and mirrors which distribute them.  This issue has been run around on
the Debian legal mailing list quite a few times.  Certainly the absolute
best solution is for upstream to remove it.  In situations where
upstream is unwilling to then it falls to the maintainer.

> Frankly, if they feel they need to do this.  Then they should at least be
> polite enough to call it "RedhatSSH" or "OurModifiedOpenSSH" so people
> expecting such chain of verification will fail if someone tries to verify
> it against upstream code.

Users expect a working distribution to have things like 'ssh'.  The fact
that a few files that 99.99% of users wouldn't even be interested in
were removed is uninteresting and unimportant to them.  Trying to claim
that makes it a fork is a feat of an amazingly overactive imagination.

> To me(I can't and won't speak for anyone else), the issue isn't WHAT
> they removed more as *HOW* they removed it.

A better solution would be nice.  I havn't seen one suggested yet.  It
probably would have been better if they had contacted the OpenSSH
developers and asked them to remove it from upstream but, well, it isn't
always useful to waste that kind of time.

	Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20041108/6d50b7f2/attachment.bin 


More information about the openssh-unix-dev mailing list