RedHat forks OpenSSH?

Stephen J. Smoogen smooge at gmail.com
Wed Nov 10 05:33:13 EST 2004


On Tue, 09 Nov 2004 00:38:06 -0700, Theo de Raadt
<deraadt at cvs.openbsd.org> wrote:
> 
> 
> > The OpenSSH web site history page says:
> >
> >    Therefore, the version of OpenSSH was based on these older versions
> >    of ssh 1.2.12, but with many bugs removed and newer features
> >    re-added:
> >
> >      * has all components of a restrictive nature (i.e. patents,
> >        see ssl) directly removed from the source code
> >
> > The CSS algorithm is claimed as a trade secret and there have been
> > several court cases fought over it.  Is that not code "of a restrictive
> > nature"?  Why is such code in OpenSSH?
> 
> I claim that the colour red is a trade secret of me.
> 
> Are you afraid?

Do you know enough about Trade Secret law in the United States and
Europe to really make such a claim? In most cases you could not
consider the colour red a trade secret.. how you make a specific
colour red specifically for your dye manufacturing would be.

> 
> Why is Redhat such a pushover?
> 

Maybe its because the value of the algorithm is not considered enough
to fight over. The other issues could be that ArcFour was desiminated
before DMCA and other US and European laws.. and ACSS was done so
afterwords.

> Is it because they are an American company?
> 

More than likely. They also have a lot of stockholders and lawsuits
filed anytime the stock drops more than 20cents because someone filed
a frivolous item.


> Come on!  Someone tell me what law prohibits the ACSS cipher from
> being used to protect an SSH communication!
> 

I do not think there are any lawyers on this list so any answer people
gave you would be worthless. Most lawyers do not post legal opinions
to electronic lists because they open themselves to various criminal
and civil lawsuits.

> Why does noone want to answer this question?
> 
> 

Because it is so much more fun to bait you and watch your responses. 
I think that most of this argument has been to see if someone can get
you to have Touriets Syndrome.

In the end, Red Hat did not say to OpenSSH that they were going to do
this, but really under the BSD license they do not have to. Heck they
do not have to give the code if they want.

In their .src.rpm, Red Hat does put in a script that was used to take
out the code, AND they did label the tar-ball as openssh-noaccs.tar.gz
versus calling it openssh.tar.gz. All of these things were things that
the original email Damien mentioned that he was worried about not
being there.

On the other side, OpenSSH does not have to answer support/problem
reports from Red Hat, SuSE, Debian or any other group that decides the
ACCS is not to be shipped. On the other hand, they do not have to
answer questions if the code was there either. The fact that people do
answer questions is a nicety that too few people recognize with words
or dollars.


-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator




More information about the openssh-unix-dev mailing list