Considering shipping ssh-keysign non-setuid
Theo de Raadt
deraadt at openbsd.org
Sat May 16 04:07:58 AEST 2026
Marc Haber <mh+openssh-unix-dev at zugschlus.de> wrote:
> The way Colin suggests it would just be one documented command away
> from getting fully functional again, with that decision being
> preserved through package updates. I disagree with your reckoning that
> this would "delete" the program.
At least Colin understands that this would mean *we* receive the reports
when this divergence affects people.
Why don't you remove all the other setuid bits on Debian programs
tomorrow?
People can just one documented command to make each of those programs
functional again.
/sarc
More information about the openssh-unix-dev
mailing list