RedHat forks OpenSSH?

Paul Iadonisi pri.rhl3 at iadonisi.to
Tue Nov 9 00:04:30 UTC 2004 

[Not cross-posting my response.]

On Mon, 2004-11-08 at 15:26, seth vidal wrote:

[snip]

> Do you find that a cross-posted missive to a set of lists like this is:
> 1. less or more inflammatory than a post to the openssh maintainer
> @redhat.com?
> 2. less or more productive than an entry in bugzilla about the details?

  And to top it off, this:

===
va:iadonisi:502) rpm -qlp openssh-3.9p1-7.src.rpm
openssh-3.6.1p2-groups.patch
openssh-3.8.1p1-krb5-config.patch
openssh-3.8.1p1-skip-initial.patch
openssh-3.8p1-gssapimitm.patch
openssh-3.9p1-noacss.tar.gz
openssh-3.9p1-redhat.patch
openssh-nukeacss.sh
openssh-selinux.patch
openssh.spec
===

  makes it pretty damn clear that it is *not* the tarball that comes
from the official OpenSSH site due to the renaming of the tarball.  AND
the name of the new tarball (PLUS the 'nukeacss' patch) makes it pretty
damn clear what the purpose is.
  I don't even need a clarification from Red Hat as it is obvious: if
other distributions wish to put their businesses at risk of being
slapped around by the MPAA and/or the DVDCCA, then have at it.  Red Hat
has every right (and responsibility, frankly) to eliminate this
unnecessary algorithm from their version of openssh.
  Perhaps Red Hat could have discussed it with OpenSSH developers, but
how many want to bet that the outcome would have been any different? 
And is the outcome at all bad?  It's the removal of an algorithm that,
as best as I can tell, is not needed and presents possible legal risk
given the precedent already set in the 2600 case.  Perhaps, as courts
get a better clue about technology (which is happening, albeit slowly),
it will be less of a problem.
  As far as support goes, it is obviously fully within the rights of the
OpenSSH team to disown this so-called fork.  Red Hat doesn't *support*
Fedora Core, anyhow, and isn't likely to tell RHEL customers to 'go to
the OpenSSH team' for OpenSSH support.
  So I'm with Seth, here.  Even only a *cursory* look at the source rpm
(which the OpenSSH team appears to have done, hence this heavily
cross-posted message) easily reveals what Red Hat has done.  Nothing
clandestine about it at all.  This should have been dealt with through
the other channels Seth has mentioned instead of assuming the worst and
blasting a message to four mailing list, including one (fedora-list)
with many inexperienced users (that's why a lot of them are on the
list...for help) who may end up quite frazzled by it.  Makes one wonder
if that was the intention.

-- 
-Paul Iadonisi
 Senior System Administrator
 Red Hat Certified Engineer / Local Linux Lobbyist
 Ever see a penguin fly?  --  Try Linux.
 GPL all the way: Sell services, don't lease secrets

More information about the fedora-devel-list mailing list