Re: [Cooker] Re: openssh-3.4p1-5mdk

Fri, 11 Oct 2002 04:00:14 -0700 

Oden Eriksson ([EMAIL PROTECTED]) wrote:
> fredagen den 11 oktober 2002 05.56 skrev Han Boetes:
>
> > Theo and Co make OpenSSH. They do their very best to make it work on
> > all platforms even though other people give them a hard time because
> > of all different kinds of versions of pam.
> >
> > And as long as everybody uses an unpatched version of  OpenSSH  they
> > can tell from the bug reports what is going on by looking  at  their
> > own source code. They want to do that. They feel responsible for the
> > product and they have a name to keep.
> >
> > Now somebody sees a nice looking patch and it is a perfectly written
> > patch. They will  get  questions  about  the  features  in  it.  For
> > something they never wrote.
> >
> > What if it contains a bug? They get the questions. And not from  one
> > or two people. No thousands.
> >
> > What if it contains an exploit... go  figure  what  will  happen  to
> > them. And they really really didn't even do it.
>
> Like the last one, he he...

You can not precisely blame anyone in particular here.

Read these posts and look for the keyword ``pam''

    http://marc.theaimsgroup.com/?l=openbsd-misc&m=102496766218240&w=2

    http://marc.theaimsgroup.com/?l=openbsd-misc&m=102554219410989&w=2

I don't believe that putting the blame on anyone here is a good thing to
do.

> > I'd suggest being very careful with OpenSSH not to apply any  custom
> > patches other than things that make the build  go  right.  I'd  even
> > suggest honoring his opinion about pam just to make sure OpenSSH  is
> > secure and stays that way.
>
> Wow! Now you have made me grasp the whole picture. Thank you.
>
> In the beginning of this thread I was really thrilled and exited  with
> this new feature..., now I'm not that sure anymore.
>
> Also, why  be  pioneers  and  guinea  pigs  for  a  closed  commercial
> proprietary software, even when this part of the code is BSD?.
>
> I tend to totally agree with you and  Vincent  Danen  now,  skip  this
> patch, forget I ever mentioned it.

Eh..

> But do make the OpenSSH authors aware of its existence,  if  not  done
> already,  they  might  even  like  it?.   Again,   here's   the   URL:
> http://www.vandyke.com/download/os/pks_ossh.html

Exactly. If Theo and Co approve of the patch there is  no  problem  with
applying it.



Groetjes, Han.
-- 
http://www.xs4all.nl/~hanb/software

Reply via email to