It has just come to my notice that Redhat is planning to ship a forked version of OpenSSH. The change goes beyond the usual patches applied to RPMs in the build process: Redhat have built their own OpenSSH tarball and are using that in their source RPM instead of the official release distribution. If you are interested, have a look at the openssh-3.9p1-7.src.rpm from the Fedora development/ directory. This source tarball is modified from the official portable OpenSSH distribution. It does not have a digital signature, an independent download site or even a basic list of changes. From diffing this source against the official release, it appears that the only change is deletion of files related to the experimental ACSS cipher. It is unclear why Redhat has chosen to do this: the cipher is disabled by default and their own Cygwin product has shipped these same files for many months, as have many other Linux distributions. Nobody disputes Redhat's right to fork OpenSSH, but why does Redhat not make their desired changes through the standard RPM patching mechanism? By distributing their own OpenSSH tarballs instead of patching pristine sources, Redhat breaks the link of transparency, accountability and trust that their own RPM build model is supposed to provide. We are also curious as to the extent that the community was involved in this decision; OpenSSH is developed by volunteers and Fedora is at least ostensibly a community effort. The OpenSSH developers were not contacted and there does not appear to have been any discussion of the change on any public mailing list. Even the RPM Changelog entry "disable ACSS support" greatly understates the nature of the change. It appears that the community was not consulted at all and that this change was made unilaterally by Redhat, with no explanation. The OpenSSH developers have neither the time nor the desire to investigate the changes Redhat makes to OpenSSH under the cover of their modified source tarball. As such, we will be forced to disregard support requests from users of Redhat or Fedora systems. Security conscious users are advised to audit the Redhat changes themselves (for each RPM release) or build OpenSSH from the original sources. We consider it very disappointing that Redhat has decided to effectively fork OpenSSH without consulting the OpenSSH developers or their own community. It is not too late for Redhat to reconsider, or for the community to urge them to do so. Regards, Damien Miller
