RedHat forks OpenSSH?

[Jefferson Ogata]

Theo de Raadt wrote:
> Damien is right.
> 
> Noone at Red Hat has responded.  Very few users have responded too.
> 
> Our opinions as to how to deal with this are starting to calcify.
> 
> Perhaps that is for the better.

All due respect to you, Theo, but one thing perplexes me:

What practical difference in terms of support would it make that Red Hat 
has omitted a cipher? Is it really likely to change the nature of the 
problems people have? I guess if someone complains that they can't 
figure out why acss isn't working, sure, but otherwise...?

I'm also curious why it's important to have this code in the 
distribution. What practical use does it serve? Shouldn't we just stick 
with blowfish et al anyway?

I find Red Hat to be a pretty competent company, and I'm a fairly heavy 
user. I have no problem with them dropping this cipher if they see fit. 
It's certainly no threat to security not to have an apparently 
questionable cipher in the mix. It is perhaps odd that no one from Red 
Hat has chimed in on this, but maybe that just means that the DMCA 
threat explanation is the right one.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>