On Wed, 20 Aug 2025 at 14:50, Rene Malmgren <rene.malmgren@xxxxxxxxxxx> wrote: > > Before I say anything, about the matter at hand I would like to comment on a few general things. I have been using ssh for about 30 years. OpenSSH has been the implementation that I have used by far the most, so its and understatement that I take not pleasure in the statement below. But on the other hand, cybersecurity is important to me, and it is totally unacceptable to be in a situation where backdoors a purposely introduced into the most critical software our society depends on by its lead developer, and nothing happens. > > First of all, it is incorrect to say (as Demian does below) that I am accusing anybody of anything, I am not a prosecutor so it's not my role to accuse people of things. What I do is that I go over code and make assessments of what has happened and from that make recommendation about actions our customers should take to avoid being targeted by attackers in the future, I work in the crypto industry so for us security matters, so this should be no small matter. > > I made a post mortem on CVE-2024-6387 when it was released and my clear recommendations based on the evidence found in the gitlogs was (and still is): decommission and replace. Actually, looking at how the open-ssh community has handled what has happened the recommendation is if anything on more firm ground, more on that below. > > I have made a rewrite of the original recommendation that was in a PDF on my (private) blog, if anybody is interested. > > https://againstallflags.wordpress.com/2025/08/05/regrettable-regresshion/ I read your report. Your conclusion is that to "decomission and replace openssh" with dropbear which lacks several proactive security features found in openssh like privsep, and sandboxing ? I disagree strongly with your assessment from a security PoV. As stated before, I'm still surprised that more of those mistakes have not happened. Several open source projects have 1 person paid full-time to support only the build system (CI/CD). djm can make mistakes. I made a mistake too that was committed to OpenBSD several years ago. You can help openssh get better by actually sending bug reports before a release is made. Isn't this a better course of action ? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
