Holy cow. This is one of the reasons I like Slackware, they avoid patching upstream. The only patches Slackware applies is for tcp-wrappers and pam. I wish they were not needed. But Slackware was forced to allow pam for audio IIRC. tcp wrappers, we should move on from that.
Seems Debian is like the FreeBSD of Linux. Last time I used FreeBSD they were famous for patching ssh and I think in the 8x days that got them in a bit of trouble. I remember being recommended to use ssh from ports at that time for a brief period. Forgot the reason why.
"OpenSSH was patched so that it could notify systemd when it was ready to accept connections, using the libsystemd library, which in turn had a dependency on the liblzma library that was compromised."
I still remember the Debian OpenSSL patch fiasco. This one has a different angle:
Why would you link a security sensitive application against a God library (word play on God object). DJB avoided much of libc in his software so it would not depend on libc bugs.
Of course his software never received much interest because people only want to modify the software of others until it is as buggy as their own.
> … [Colin Watson] invited SELinux experts to weigh in. No SELinux experts turned up to voice an opinion one way or another, and that patch remains.
Very interesting. I see similar things happen at my work. Some technical decision with a more senior engineer feeling middle of the road on some choice asking people to weigh in and no one does.
I 100% agree with Mr. Watson to remove the dependency, but I’m also not an SELinux expert.
>Debian carries nearly 40 patches against OpenSSH
Holy cow. This is one of the reasons I like Slackware, they avoid patching upstream. The only patches Slackware applies is for tcp-wrappers and pam. I wish they were not needed. But Slackware was forced to allow pam for audio IIRC. tcp wrappers, we should move on from that.
Seems Debian is like the FreeBSD of Linux. Last time I used FreeBSD they were famous for patching ssh and I think in the 8x days that got them in a bit of trouble. I remember being recommended to use ssh from ports at that time for a brief period. Forgot the reason why.
Also:
"OpenSSH was patched so that it could notify systemd when it was ready to accept connections, using the libsystemd library, which in turn had a dependency on the liblzma library that was compromised."
I still remember the Debian OpenSSL patch fiasco. This one has a different angle:
Why would you link a security sensitive application against a God library (word play on God object). DJB avoided much of libc in his software so it would not depend on libc bugs.
Of course his software never received much interest because people only want to modify the software of others until it is as buggy as their own.
> … [Colin Watson] invited SELinux experts to weigh in. No SELinux experts turned up to voice an opinion one way or another, and that patch remains.
Very interesting. I see similar things happen at my work. Some technical decision with a more senior engineer feeling middle of the road on some choice asking people to weigh in and no one does.
I 100% agree with Mr. Watson to remove the dependency, but I’m also not an SELinux expert.