RedHat forks OpenSSH?

Chris Adams cmadams at hiwaay.net
Thu Nov 11 15:38:21 EST 2004


Once upon a time, Theo de Raadt <deraadt at cvs.openbsd.org> said:
> > It was hardly a non sequitur.  Mr de Raadt repeatedly made comments 
> > about how Red Hat users apparently (or "obviously") felt, but as soon as 
> > one spoke up and expressed his feelings,
> 
> 	to Red Hat... please

You asked for users to speak up.  Do you only want to hear from the
users that agree with you?

Damien Miller said in the message that started all of this:

    We consider it very disappointing that Redhat has decided to
    effectively fork OpenSSH without consulting the OpenSSH
    developers or their own community. It is not too late for Redhat
    to reconsider, or for the community to urge them to do so.

Now some users are saying to the OpenSSH developers that maybe they
should reconsider.  Will you not at least listen, as you ask Red Hat to
do?

Damien also said:

    This source tarball is modified from the official portable
    OpenSSH distribution. It does not have a digital signature, an
    independent download site or even a basic list of changes.

Red Hat's long-time interpretation of "pristine" is not necessarily that
the original tarball downloaded from the original location is used.  For
a while now they have routinely re-compressed tarballs (from gzip to
bzip2) to save space (although I think this may be going away as more
CDs and DVDs are used).  Source RPMs for OpenSSH have never to my
knowlege included any digital signature files (the SRPM itself is signed
by Red Hat).

Red Hat also has a well-known policy of removing source code that falls
under patents or the DMCA; source code that cannot legally be
distributed freely in the US (they are after all a US company).  Code
that implements MP3 decoding is a well-known example (removed from
xmms).  The DMCA and its applications to CSS is bad.  However, for the
time being, Fedora cannot include CSS code and still be freely
distributable in the US.  Even if the code is not used, including it in
the source RPMs is not allowed.

In the case of the modified OpenSSH tarball, the script used to
generated the modified tarball is included.  That means it takes one
additional step to verify that the sources have not been tampered with;
instead of untarring an "official" OpenSSH tarball, untarring the
tarball from the SRPM, and running diff, the script from the SRPM needs
to be run on the source extracted from the official tarball.

Damien:

    We are also curious as to the extent that the community was
    involved in this decision; OpenSSH is developed by volunteers and
    Fedora is at least ostensibly a community effort. The OpenSSH
    developers were not contacted and there does not appear to have
    been any discussion of the change on any public mailing list.
    Even the RPM Changelog entry "disable ACSS support" greatly
    understates the nature of the change. It appears that the
    community was not consulted at all and that this change was made
    unilaterally by Redhat, with no explanation.

The acss support was added to OpenSSH without public discussion that I
see.  It has the unique position of being the only un-documented cipher
in OpenSSH.  I have asked here why it is there at all and why I would
want to use it with no response.  How open is that?

> Aren't you?  It is their tarball you are building from, isn't it?

If you read what was written originally you would have seen the answer
to that.  Instead, you attack.

> > Care to explain why that should not be expected to 
> > make that Red Hat user (and, by extension, all Red Hat users) feel 
> > unwelcome?
> 
> How about you make Red Hat work with the community, instead of attacking
> us?

How did Red Hat attack you?  Patching your code is not an attack.  You
have attacked Red Hat.

If you have read this far: would the OpenSSH developers consider moving
the CSS code to a library distributed separately from OpenSSH such that
the OpenSSH tarballs are not "tainted"?

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.




More information about the openssh-unix-dev mailing list