On Sun, Jul 17, 2011 at 1:22 AM, Theo de Raadt <dera...@cvs.openbsd.org> wrote: >> On Sat, Jul 16, 2011 at 5:22 PM, Theo de Raadt <dera...@cvs.openbsd.org> wrote: >> >> It does look like an open source result of some talented people, not >> >> an OpenBSD or BSD specific result. >> > >> > OpenSSH happened as a *direct result* of the types of decisions that >> > OpenBSD developers make. >> >> Hi, Theo. That would be a compelling point if those decisions were >> automatically good ones. Simply being "the types of decisions that >> OpenBSD developers make" is not automatically a selling point, as >> evidenced by the relatively small market share of OpenBSD itself. I'm >> gong to dig into some history here. >> >> The result of "the types of decisions that OpenBSD developers make" >> are precisely why it is marginalized. The core technology is robust >> and excellent, but the featureset is not only limited, but actively >> dangerous. I'll explain why: this gots into some serious way-back >> history, but I'm not seeing any change. > > Fascinating.
And justified. Notice the complete lack of actually addressing the issues. [ Technicial issues snipped for brevity. ] > Wow, it's a real bummer that OpenBSD has caused you so much harm. Have > you considered trying to live 100% without our software? Of course, if > you did that, you'd have to keep your mouth shut, wouldn't you. That > does not seem in your nature.. And submitting patches, bug reports, or concerns is what a mailing list. [ More examples of OpenSSH pain snipped for brevity. ] > Your pain runs very deep. Have you considered suicide? > >> This is compounded by the longstanding refusal to accept chroot cage >> integration for SSH or SCP. (Yes, it's me: I was one of the people >> publishing such patches over a decade ago.) Debian has actually >> provided some tools for helping set that up, > > Ah, yes, Debian. They have an amazing history when it comes to > patching our code.... good luck with that. My first patches were on SunOS. I updated someone else's patches and republished roughly..... 5 years ago? It's not difficult, the underlying codebase is robust. They're not actually patching your code: they're generating wholesale chroot cages with dedicated OpenSSH servers inside them, which is more awkward but creates less risk of destablizing the code base. It's awkward, but functional if you don't mind users seeing local /lib, /etc., /usr/bin. etc. infrastructure. Not so good if you wnat to create a software mirror repository: you need to integrate in something like rsync with a wrapper for that. The result (for those of you who haven't had to pursue this sort of thing) is a bit precarious. [ More details excluded for brevity. ] >> If we couple all of those decisions, mostly policy decisions, with the >> longstanding incapability to transfer symlinks as symlinks, rather >> than as the targets of the symlink, by both SFTP and SCP, and the >> direct result of those decisions doesn't look so hot, even though the >> underlying protocol and implementation in OpenSSH have much to >> recommend them. > > Your grief would seem more sincere if didn't look like a shopping > list. Except your name or those you work for do not occur in the > donations list or anywhere else... I'm not acting as their representative on this mailing list. I'll send you a couple of names privately, if you like, but I've been a patch and bug and integrator for long enough with OpenSSH and with open source and freeware projects in general that I think I've earned better. I'll send you a couple of employer's names privately if you like, or to someone who has access to your contributors list to verify that they've lived up to their agreements with me. (They should have: OpenSSH was a lot cheaper than 10,000 F-Secure licenses, and easier to integrate.) Has NX been sending any money? I've been steering clients their way to their superior, low bandwidth toolkit for X services, which usually reside on top of OpenSSH. They've got a new release in alpha testing. >> This last one is actually built into the RFC's, but if >> a new RFC is needed, then it's about time. > > We don't author the RFC. But thanks for trying to make us responsible > for that, too. Pray tell, what are you responsible for, besides > bitching out other people's efforts? Lately? Among other things, I wrote an ssh-keyscan toolkit for correctly integrating domain scans and integration of alternate port entries into ssh_known_hosts. I've got to pull out the source control integratoin before publishing, and need paperwork signed to publish it, but it helps deal with the "ssh-keyscan does not list alternative ports used in its output". Very useful when you have dedicated SSH servers in high availability mode scattered around a network and CNAME's used to swap the service. (See previous comments on Subversion repository SSH integration.) Mostly sys-admin work these days, less chance to play with source. >> The result is that I'd *rather* trust the end-to-end encryption of the >> underlying SSH protocol. But the missing basic security features, >> whose absence is either tacitly accepted (such as making passphrase >> keys more difficult to use), or a matter of deliberate policy (such as >> refusal to work with chroot cages for SSH or SCP) have seriuosly >> impeded the use and security of OpenSSH itself. So I have some >> longstanding, and I think well-founded, concerns about "the types of >> decisions that OpenBSD developers make". > > Wow, you are just about the biggest prick I've read a message from in > months. Try to have a better day, ok? *THANK* you. I'd avoided getting into personalities, but you couldn't have more clearly added another point to my concerns about "the types of decisions that OpenBSD developers make". The reason you don't see such messages is that most people who call your wisdom into question don't care to waste their time: they simply leave. It's a factor that "marginalizes BSD" that I wasn't going to bring up, but you seem to have done it for me. Again, thank you!
