RedHat forks OpenSSH?

[Marc Aurele La France]

On Tue, 9 Nov 2004, Damien Miller wrote:

> It has just come to my notice that Redhat is planning to ship a
> forked version of OpenSSH. The change goes beyond the usual
> patches applied to RPMs in the build process: Redhat have built
> their own OpenSSH tarball and are using that in their source RPM
> instead of the official release distribution. If you are
> interested, have a look at the openssh-3.9p1-7.src.rpm from the
> Fedora development/ directory.

> This source tarball is modified from the official portable
> OpenSSH distribution. It does not have a digital signature, an
> independent download site or even a basic list of changes. From
> diffing this source against the official release, it appears that
> the only change is deletion of files related to the experimental
> ACSS cipher. It is unclear why Redhat has chosen to do this: the
> cipher is disabled by default and their own Cygwin product has
> shipped these same files for many months, as have many other
> Linux distributions.

> Nobody disputes Redhat's right to fork OpenSSH, but why does
> Redhat not make their desired changes through the standard RPM
> patching mechanism? By distributing their own OpenSSH tarballs
> instead of patching pristine sources, Redhat breaks the link of
> transparency, accountability and trust that their own RPM build
> model is supposed to provide.

> We are also curious as to the extent that the community was
> involved in this decision; OpenSSH is developed by volunteers and
> Fedora is at least ostensibly a community effort. The OpenSSH
> developers were not contacted and there does not appear to have
> been any discussion of the change on any public mailing list.
> Even the RPM Changelog entry "disable ACSS support" greatly
> understates the nature of the change. It appears that the
> community was not consulted at all and that this change was made
> unilaterally by Redhat, with no explanation.

> The OpenSSH developers have neither the time nor the desire to
> investigate the changes Redhat makes to OpenSSH under the cover
> of their modified source tarball. As such, we will be forced to
> disregard support requests from users of Redhat or Fedora
> systems. Security conscious users are advised to audit the Redhat
> changes themselves (for each RPM release) or build OpenSSH from
> the original sources.

> We consider it very disappointing that Redhat has decided to
> effectively fork OpenSSH without consulting the OpenSSH
> developers or their own community. It is not too late for Redhat
> to reconsider, or for the community to urge them to do so.

> Regards,
> Damien Miller

Welcome to the world of "Open Source", as defined by RedHat.

XFree86 has already suffered the same fate.

Marc.

+----------------------------------+-----------------------------------+
|  Marc Aurele La France           |  work:   1-780-492-9310           |
|  Computing and Network Services  |  fax:    1-780-492-1729           |
|  352 General Services Building   |  email:  tsi at ualberta.ca          |
|  University of Alberta           +-----------------------------------+
|  Edmonton, Alberta               |                                   |
|  T6G 2H1                         |     Standard disclaimers apply    |
|  CANADA                          |                                   |
+----------------------------------+-----------------------------------+
XFree86 developer and VP.  ATI driver and X server internals.