Hi, On Mon, Jan 01, 2018 at 07:52:26AM -0800, Peter Moody wrote: > I would prefer that: > > * commercial vendors patched the software they sold > * people who purchased from these vendors to take responsibility for > their actions and apply pressure on the commercial vendors rather than > the free software developers who provide the client software, for > free. You *are* aware what people are talking about? Like, management cards for UPSes and such, where the important part is "will that UPS provide reliable power for a reasonable price", a secondary question is "can I monitor that thing in a reasonable way?", and a very very very minor influencing factor is "will the management card do SNMPv3, or SSH with o 2048 bit RSA key size"? Your extreme point of view is just unrealistic for such devices and vendors. > and I'm not sure what your bugaboo is about a fractured user base; at > any given time there are probably hundreds of different versions of > openssh being distributed due to different os's, distros, etc. > > by the way, do you not see that every one of your arguments about the > openssh client can be applied, almost verbatim, to the vendor supplied > sshd? with the obvious exception that one is supplied by a commercial > vendor. Like, "making updates, and all of a sudden, working setups stop working"? I *have* seen this, and usually because the vendor imported a newer version of OpenSSH, which broke existing functionality :-) (like, Fortigate, which all of a sudden did not authenticate users with DSA keys anymore, and no mentioning of it in the release notes...). gert -- now what should I write here... Gert Doering - Munich, Germany gert@xxxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev