RedHat forks OpenSSH?

Chris Adams cmadams at hiwaay.net
Tue Nov 9 15:45:56 EST 2004 

Once upon a time, Ben Lindstrom <mouring at etoh.eviladmin.org> said:
> .. Thus giving them an excuse to do bad manors and not provide any
> notification within the SRPMs that it isn't "prestine" code.

Sure they do.  The contents of the SRPM are:

openssh-3.6.1p2-groups.patch
openssh-3.8.1p1-krb5-config.patch
openssh-3.8.1p1-skip-initial.patch
openssh-3.8p1-gssapimitm.patch
openssh-3.9p1-noacss.tar.gz
openssh-3.9p1-redhat.patch
openssh-nukeacss.sh
openssh-selinux.patch
openssh.spec
x11-ssh-askpass-1.2.4.1.tar.gz

Note that the primary source tar file is "openssh-3.9p1-noacss.tar.gz"
instead of "openssh-3.9p1.tar.gz".  Note also that the script used to
clean the source of the quetionable material is "openssh-nukeacss.sh".

Since the OpenSSH project doesn't distribute anything called
"openssh-3.9p1-noacss.tar.gz", it is pretty obvious that the file didn't
come from the OpenSSH project.

Also, the openssh.spec file has:

#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
Source0: openssh-%{version}-noacss.tar.gz

That makes it pretty obvious that the code originally came from
ftp.openbsd.org but that the included modified code did not.

This is not so much a "fork" as a patch.  The problem is that the patch
needs to remove questionable material, and that cannot be done with a
regular patch (as the SRPM would still contain the questionable
material, both in its original form and in the patch as removed lines).
The patch script _is_ included in the SRPM (so future versions can be
patched in exactly the same manner).

As for it being "impolite" that Red Hat didn't notify someone they were
doing this: were Tatu Ylönen and Datafellows notified that ssh 1.2.12
was going to be forked into OSSH, and then they and Björn Grönvall
notified that OSSH was going to be forked into OpenSSH?  Those are true
code forks (not just a patch); was prior notification made or was
OpenSSH an "impolite" fork?

The OpenSSH web site history page says:

   Therefore, the version of OpenSSH was based on these older versions
   of ssh 1.2.12, but with many bugs removed and newer features
   re-added:

     * has all components of a restrictive nature (i.e. patents,
       see ssl) directly removed from the source code

The CSS algorithm is claimed as a trade secret and there have been
several court cases fought over it.  Is that not code "of a restrictive
nature"?  Why is such code in OpenSSH?

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

More information about the openssh-unix-dev mailing list