RedHat forks OpenSSH?
djm at mindrot.org
Mon Nov 8 20:23:44 UTC 2004
It has just come to my notice that Redhat is planning to ship a
forked version of OpenSSH. The change goes beyond the usual
patches applied to RPMs in the build process: Redhat have built
their own OpenSSH tarball and are using that in their source RPM
instead of the official release distribution. If you are
interested, have a look at the openssh-3.9p1-7.src.rpm from the
Fedora development/ directory.
This source tarball is modified from the official portable
OpenSSH distribution. It does not have a digital signature, an
independent download site or even a basic list of changes. From
diffing this source against the official release, it appears that
the only change is deletion of files related to the experimental
ACSS cipher. It is unclear why Redhat has chosen to do this: the
cipher is disabled by default and their own Cygwin product has
shipped these same files for many months, as have many other
Nobody disputes Redhat's right to fork OpenSSH, but why does
Redhat not make their desired changes through the standard RPM
patching mechanism? By distributing their own OpenSSH tarballs
instead of patching pristine sources, Redhat breaks the link of
transparency, accountability and trust that their own RPM build
model is supposed to provide.
We are also curious as to the extent that the community was
involved in this decision; OpenSSH is developed by volunteers and
Fedora is at least ostensibly a community effort. The OpenSSH
developers were not contacted and there does not appear to have
been any discussion of the change on any public mailing list.
Even the RPM Changelog entry "disable ACSS support" greatly
understates the nature of the change. It appears that the
community was not consulted at all and that this change was made
unilaterally by Redhat, with no explanation.
The OpenSSH developers have neither the time nor the desire to
investigate the changes Redhat makes to OpenSSH under the cover
of their modified source tarball. As such, we will be forced to
disregard support requests from users of Redhat or Fedora
systems. Security conscious users are advised to audit the Redhat
changes themselves (for each RPM release) or build OpenSSH from
the original sources.
We consider it very disappointing that Redhat has decided to
effectively fork OpenSSH without consulting the OpenSSH
developers or their own community. It is not too late for Redhat
to reconsider, or for the community to urge them to do so.
More information about the devel