On Mon, 14 Jan 2008 08:14:52 -0500 (EST) "Dennis Clarke" <[EMAIL PROTECTED]> wrote:
> > > On Mon, 14 Jan 2008 00:36:13 -0500 (EST) > > "Dennis Clarke" <[EMAIL PROTECTED]> wrote: > > > >> > >> Sorry for the confusing subject line but this is really just about OpenSSH > >> as implemented in Solaris ( and various derivitives ) and any issues that > >> may exist between the OpenSSH team and the Solaris world. > > > > [snip] > > > >> So the short answer here is that I don't know what the Sun implementation > >> of > >> SSH is really but it seems to be NOT what we see at the source site. So > >> that > >> really is the only reason why I tend to run the packages built on > >> reference > >> servers that I trust and with source code drawn directly from the well. > >> > >> Am I wrong to think this way ? > > > > No. At least not in my opinion. From what you've described we can > > essentially conclude that "if it doesn't say OpenSSH, then you don't > > know what's inside". > > Well, the source is open and a diff of the portable OpenSSH with the SunSSH > bits would be most interesting to drag out into the light. In this way we > could look at what, if any, differences exist. lol... yeah, I almost added "in absence of code audit" but 1) it was late at night and I wanted to get to bed, and 2) figured that was obvious. > > That, in and of itself, would be plenty enough for > > me to favor your package build over what Sun bundles. > > Well not so for me. Not quite good enough. I feel like inserting an > automotive metaphor here but it is too early in the morning and I'm tired of > using cars to explain computers. fwiw, I've been running OpenBSD since circa 2.5 days, or thereabouts. Can't quite remember precisely, but companies I left ran left those things on the net essentially unmaintained for years and they never got cracked. So if you go with a version that OBSD bundles with a RELEASE, then you're probably pretty safe. btw- yes, I know OpenSSH did not yet exist for those early versions, but you get my point. > If it quacks like a duck, walks like a duck and looks like a duck. > Then that Sir is what I call a duck. > > http://en.wikipedia.org/wiki/Duck_test > > > but it is different .. isn't it. Yep. fwiw- here's from a even older OBSD box: $ ssh -V OpenSSH_4.3, OpenSSL 0.9.7g 11 Apr 2005 $ uname -rs OpenBSD 3.9 and aes256 is still supported. So Sun has apparently w/held some of the strong crypto stuff. I'll leave the rest up to the conspiracy theorists... -- Best regards, Ken Gunderson Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon? _______________________________________________ opensolaris-discuss mailing list [email protected]
