Date: Fri, 20 Apr 2012 17:16:43 +0400 From: Solar Designer <solar@...nwall.com> To: owl-dev@...ts.openwall.com Subject: Re: owl and openssh On Thu, Apr 19, 2012 at 07:05:55AM +0200, Pawe?? Hajdan, Jr. wrote: > Isn't upstream interested in those owl patches? Have they been submitted > and rejected? I discussed the key blacklisting stuff with upstream while we were still designing it (we'd consider their preferences if any). They did not want it. Yet we wanted to have it, and we actually caught some weak keys (from Debian systems) in the wild shortly after we deployed those updated packages on clients' Owl-based systems that we manage (and where their other contractors, etc. have accounts). So those would be real vulnerabilities in real systems if we did not include that code. It is understandable that OpenBSD did not want to complicate their code because of another project's fault, and OpenSSH portable did not want to differ in this respect this time. They would potentially include generic user-configurable blacklisting, but implementation and user interface wise it would need to be substantially different from the efficient mass blacklisting of a fixed set of keys that we needed for dealing with the Debian incident. In general, OpenSSH patches that we have were considered for upstream relevance. Some were submitted, a subset of those were merged. I started typing specific info here, but the list was quickly getting long, so I felt that it's not productive use of my time. Perhaps you did not mean to spend much of my time on an elaborate answer with your quick question. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.