Followup on Inquiry about regreSSHion postmortem
Theo de Raadt
deraadt at openbsd.org
Thu Aug 21 00:02:30 AEST 2025
Rene,
Your idea of what happened is a complete fiction.
It is very clear you don't understand the development practice used by
OpenSSH software which also has a -portable version:
https://www.openssh.com/portable.html
This methodology avoids sprinking the main body of code ('the underlay')
with thousands of #ifdef and special features, and forces management of
such changes into a -portable ('an overlay'). We've done it like this
from the beginning of offering -portable to the public as a gift. That
methodology can get very complicated behind the scenes, yet it is
managed by only 2 people.
Then at some point, a minor merge error happened in the -portable overlay,
which turns into a VERY MUCH NON-PRACTICAL attack.
I still believe this split model of managing the software is way less
complicated, less risky, keeps everyone'e eye on the ball. I also think
it avoids errors like this most of the time, but eventually after tens
of thousands of commits an error is going to happen.
But you don't describe the process.
You jump to assuming malice. You presume that the diff landed in a fashion
which is not matched by the commit logs between the multiple trees.
There's no question -- your writing is presuming the change was
intentionally hazardous.
That accusation is hilarious. Your position is laughable.
More information about the openssh-unix-dev
mailing list