On Thu, Mar 07, 2002 at 11:48:38PM -0500, Michael G. Schabert wrote:
> At 11:32 PM -0500 3/7/02, David Maxwell wrote:
> 
> >Well, I'd like an sshd that I don't have to be ready to upgrade on every
> >exposed machine on a day's notice.
> >
> >It would be kind of nice to step away from the net for a few days, and
> >not wonder if everything's fallen apart while my back was turned.
> 
> C'mon, David, you know better than that. No program greater than a 
> hundred lines or so can have active development *and* be bug-free 
> every second.

Ahh. There's the rub. I don't want an sshd that's in development. I
don't use all the features OpenSSH had now. I want an sshd that conforms
to the protocol spec, and has bugfixes, but which is not in active
development.

> Every substantial program on the planet has had bugs 
> during its development. We still ship with sendmail too, and that has 
> had *far* more exploitable bugs than OpenSSH.

Sure, but I don't use it, because there are saner/safer mailers.

> No, you don't have to be prepared on a day's notice. The same could 
> be said the day after every every security avisory for every utility 
> is released.

Most of said utilities aren't remotely exploitable. Apache exploits, for
example, would be similarly annoying. Most other things aren't.

> Heck, according to this advisory it has existed since 
> version 2.0 without anyone ever noticing.

Well, no one willing to tell the rest of us, anyway...

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville