Subject: Re: security/ssh vs distfiles/vulnerabilities
To: None <>
From: David Maxwell <>
List: tech-pkg
Date: 06/13/2001 21:36:44
On Thu, Jun 14, 2001 at 09:16:02AM +0900, wrote:
> >Just point me to the thread if I missed a discussion...
> >Right now distfiles/vulnerabilities says ssh<1.2.31 is vulnerable.
> >The latest version in pkgsrc is 1.2.27nb1, whose patch-ac seems to
> >address the issue that the vulnerabilities file points to.
> >So... should security/ssh be marked BROKEN, or the entry in
> >vulnerabilties be removed, or... something else?
> >Currently the package is 'clean', but audit-packages reports it broken.
> >That's bad.
> 	basically i would suggest using openssh.  should we really mark
> 	security/ssh BROKEN?  or move security/ssh to ssh.som ssh 3.x?

The comment in the Makefile seems to indicate that we're not allowed to
modify versions >1.2.28

# We do not upgrade to 1.2.28 and beyond, intentionally.  There was
# change between 1.2.27 and 1.2.28, and the new license prohibits us
# modifying/redistributing it.

This problem affects security/ssh6 as well, of course.

I'd rather see it marked BROKEN than have people install it, get no
warning, and expose their systems.

David Maxwell,| --> The only difference I see
between voodoo and marketing research is that voodoo sometimes works! 
						- Leonard Stern