A request: update to current OpenSSH
Warren Togami
warren at togami.com
Thu Feb 5 20:39:46 UTC 2004
Jesse Keating wrote:
> On Thursday 05 February 2004 10:27, Steve Snyder wrote:
>
>>I would like to make a request: please provides updates to the
>>OpenSSH packages.
>>
>>The current version of OpenSSH for RH v7.3 is 3.1p1-14 while the
>>current version of OpenSSH itself is 3.7.1p2-1.
>>
>>Given how critical OpenSSH is for system security, can we please get
>>a packaging of the contemporary version of this software?
>>
>>(Yes, I am aware that I can build my own RPMs. I'd prefer, though,
>>to stay in sync with the Legacy packaging.)
>
>
> We don't upgrade packages just to upgrade them. Newer != better. As
> flaws are found in the OpenSSH that is in use right now, we'll patch
> the packages.
>
> If you'd like to build new packages, feel free to point folks to your
> packages, but they will not be Legacy supported.
>
Also be aware that RH avoided one of the recent potential opensshd
remote vulnerabilities by NOT upgrading to a newer openssh, but patching
an older version. The old version in default RH configuration was not
vulnerable to one particular issue.
This is another reason why newer version is not always better. In the
case of older distributions, sometimes "better tested over time" is
often better.
Legacy should only upgrade versions if very specific criteria that we
defined on this mailing list (are these copied to the web page?) are
met, mainly in cases where upgrading would allow syncing versions of
multiple similar distributions and testing indicates that there are
seemingly no regressions. Upgrading is the exception and not the rule.
Warren
More information about the fedora-legacy-list
mailing list