RedHat forks OpenSSH?

[Jefferson Ogata]

Theo de Raadt wrote:
>Jefferson Ogata wrote:
[attribution restored]
>>I'm also curious why it's important to have this code in the 
>>distribution. What practical use does it serve? Shouldn't we just stick 
>>with blowfish et al anyway?
>>
>>I find Red Hat to be a pretty competent company, and I'm a fairly heavy 
>>user.
> 
> <snip>
> 
> Then you talk to them.  You just lost some people's support.

I don't understand the petulant attitude. All I've ever done here is to 
contribute; I've never asked for support. Why are you so married to this 
bit of code that you're willing to alienate people over it? I have no 
doubt that you understand the practical issue here: there's no point in 
including code someone--right or wrong--might sue you over, if that code 
doesn't do anything particularly useful. Of all the ciphers in openssh, 
acss is clearly the one that has been tangentially the subject of a lot 
of recent litigation, and that not for use, but for dissemination of 
code. Personally, if I can do something simple, cheap, and harmless to 
avoid getting a subpoena, I'll do it. I have mouths to feed and real 
work to do.

What it's starting to sound like is that a few openssh developers 
decided it was time to use openssh to take a stand against RIAA on 
CSS--lamely, I might add: acss in openssh is completely unnecessary. If 
so, this is just going to marginalize openssh, and we should expect to 
see vendors react to protect themselves. If you don't feel like 
supporting those vendors' customers, fine--the rest of us will do it. 
But it would seem kind of selfish on the part of those who want to take 
a stand if they also use it as an excuse to avoid helping people. That's 
all it is: an excuse. I read the questions people post here; I'll be 
amazed if Red Hat's omission of acss or their modified tarball ever, 
ever arise as practical support issues.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>