RedHat forks OpenSSH?

[Theo de Raadt]

> > > The OpenSSH web site history page says:
> > >
> > >    Therefore, the version of OpenSSH was based on these older versions
> > >    of ssh 1.2.12, but with many bugs removed and newer features
> > >    re-added:
> > >
> > >      * has all components of a restrictive nature (i.e. patents,
> > >        see ssl) directly removed from the source code
> > >
> > > The CSS algorithm is claimed as a trade secret and there have been
> > > several court cases fought over it.  Is that not code "of a restrictive
> > > nature"?  Why is such code in OpenSSH?
> > 
> > I claim that the colour red is a trade secret of me.
> > 
> > Are you afraid?
> 
> Do you know enough about Trade Secret law in the United States and
> Europe to really make such a claim? In most cases you could not
> consider the colour red a trade secret.. how you make a specific
> colour red specifically for your dye manufacturing would be.

Trade secret law only lets you take action against those who have
violated agreements.  If there is no agreement, and the secret gets
out, it is out.  Tough shit.  Come on, go for it, go do some research,
that is how it works!

> > Why is Redhat such a pushover?
> > 
> 
> Maybe its because the value of the algorithm is not considered enough
> to fight over. The other issues could be that ArcFour was desiminated
> before DMCA and other US and European laws.. and ACSS was done so
> afterwords.

There is no value.  It was a secret.  It is not not a secret.  A trade
secret has ZERO value, and you cannot push around people who discovered
it outside of the framework of an agreement.

> > Is it because they are an American company?
> > 
> 
> More than likely. They also have a lot of stockholders and lawsuits
> filed anytime the stock drops more than 20cents because someone filed
> a frivolous item.

I thought that their users were people they would consult, but
apparently not.


> > Come on!  Someone tell me what law prohibits the ACSS cipher from
> > being used to protect an SSH communication!
> > 
> 
> I do not think there are any lawyers on this list so any answer people
> gave you would be worthless. Most lawyers do not post legal opinions
> to electronic lists because they open themselves to various criminal
> and civil lawsuits.

Well, I have consulted lawyers on this, unlike people who post in
reply (like you).

> > Why does noone want to answer this question?
> > 
> > 
> 
> Because it is so much more fun to bait you and watch your responses. 
> I think that most of this argument has been to see if someone can get
> you to have Touriets Syndrome.
> 
> In the end, Red Hat did not say to OpenSSH that they were going to do
> this, but really under the BSD license they do not have to. Heck they
> do not have to give the code if they want.

They acted disrespectfully towards their user base, and now their user
base is in all likely going to get zero support from the OpenSSH
developers themselves.

> In their .src.rpm, Red Hat does put in a script that was used to take
> out the code, AND they did label the tar-ball as openssh-noaccs.tar.gz
> versus calling it openssh.tar.gz. All of these things were things that
> the original email Damien mentioned that he was worried about not
> being there.
>

> On the other side, OpenSSH does not have to answer support/problem
> reports from Red Hat, SuSE, Debian or any other group that decides the
> ACCS is not to be shipped.

You're right, now they won't get any support.

> On the other hand, they do not have to
> answer questions if the code was there either. The fact that people do
> answer questions is a nicety that too few people recognize with words
> or dollars.

So they have decided for their user base.