On Thursday 05 February 2004 10:27, Steve Snyder wrote:
I would like to make a request: please provides updates to the OpenSSH packages.
The current version of OpenSSH for RH v7.3 is 3.1p1-14 while the current version of OpenSSH itself is 3.7.1p2-1.
Given how critical OpenSSH is for system security, can we please get a packaging of the contemporary version of this software?
(Yes, I am aware that I can build my own RPMs. I'd prefer, though, to stay in sync with the Legacy packaging.)
We don't upgrade packages just to upgrade them. Newer != better. As flaws are found in the OpenSSH that is in use right now, we'll patch the packages.
If you'd like to build new packages, feel free to point folks to your packages, but they will not be Legacy supported.
Also be aware that RH avoided one of the recent potential opensshd remote vulnerabilities by NOT upgrading to a newer openssh, but patching an older version. The old version in default RH configuration was not vulnerable to one particular issue.
This is another reason why newer version is not always better. In the case of older distributions, sometimes "better tested over time" is often better.
Legacy should only upgrade versions if very specific criteria that we defined on this mailing list (are these copied to the web page?) are met, mainly in cases where upgrading would allow syncing versions of multiple similar distributions and testing indicates that there are seemingly no regressions. Upgrading is the exception and not the rule.
Warren
