RedHat forks OpenSSH?

Dan Kaminsky dan at doxpara.com
Tue Nov 9 14:55:30 EST 2004 

>.. Thus giving them an excuse to do bad manors and not provide any
>notification within the SRPMs that it isn't "prestine" code.
>
>Honestly, Dan.  Do we really want to encourage such behavior?
>
>Fine.. Redhat is misguided and thinks they have to remove the code.  Fine
>let them.  But let them CLEARLY AND UNMISTAKENLY mark the thing as *NOT*
>being "prestine" code.  So people can MAKE their own choices.  That is all
>what "Open Source" is about?  Being utterly transparent so people can make
>their own choices and not be "forced down a SINGLE person's path?"
>
>BTW.. Does Redhat modify the *.tar.gz for the "could be illegal patent
>usage" that is within the Truetype font server shipped with X?  Or do they
>just not ship it enabled by default?
>
>If they do ship it with it just turned off.. Then they better rush out
>and remove the code.  Along with all the other stuff marked questionable.
>Otherwise they are being pretty two-faced about the whole issue.
>
>- Ben
>
>  
>
Be fair.  Truetype rendering is much more central to a font server than 
ACSS is to OpenSSH.  I appreciate the stand Theo and the rest of you are 
making, but using package security as a bludgeon to attack law is bad 
form -- be insecure, or be exposed legally?  What's our priority here?

This being said, Theo's right.  ACSS is in the same category as RC4, 
with empty threats being the only thing separating the former from the 
latter.

And you're right:  It's not your tarball, so it shouldn't be named as 
such.  The tarball should be renamed to rh_openssh.tgz, and a hash 
embedded of the following command:  "cat openssh.tgz rh_openssh.tgz | 
sha1sum".  That creates a security chain w/o forcing Redhat to embed the 
code in a release.

Personally, I'm furious at the lawyers who are frankly lying about CSS 
being anything close to a trade secret every time they send a C&D.  But 
they *are* sending C&D's.  And Redhat apparently got one.  The technical 
solution you prescribed -- patching -- doesn't satisfy the desist.  The 
above, admittedly awkward hack does.  They can either ship OpenSSH pure, 
w/ the lawsuit bait, or they can use that.

--Dan

More information about the openssh-unix-dev mailing list