From owner-freebsd-security  Tue Jan  1 13: 6:44 2002
Delivered-To: freebsd-security@freebsd.org
Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3F15537B423; Tue,  1 Jan 2002 13:06:40 -0800 (PST)
Received: from user-2ivfo98.dialup.mindspring.com ([165.247.225.40] helo=gohan.cjclark.org)
	by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 16LW77-00074B-00; Tue, 01 Jan 2002 13:06:27 -0800
Received: (from cjc@localhost)
	by gohan.cjclark.org (8.11.6/8.11.1) id g01L63800673;
	Tue, 1 Jan 2002 13:06:03 -0800 (PST)
	(envelope-from cjc)
Date: Tue, 1 Jan 2002 13:06:01 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Robert Watson <rwatson@FreeBSD.ORG>
Cc: John Hay <jhay@icomtek.csir.co.za>, Randy Bush <randy@psg.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: openssh version
Message-ID: <20020101130601.A153@gohan.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <200201010631.g016Va856231@zibbi.icomtek.csir.co.za> <Pine.NEB.3.96L.1020101123222.14067C-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.NEB.3.96L.1020101123222.14067C-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Tue, Jan 01, 2002 at 12:36:58PM -0500
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Jan 01, 2002 at 12:36:58PM -0500, Robert Watson wrote:
[snip]

> Eivind Eklund was looking at merging our various localizations forward
> (including PAM), and I'd really like to look at an upgrade in the post-4.5
> scenario.  Getting it in before the release is (at this point) out of the
> question, however.

And this is the crux of the issue. Merging a new vendor version of
OpenSSH is non-trivial. In addition, there are frequently back
compatiblility issues (e.g. with configuration files) with new versions
of OpenSSH. For each person who asks, "Why isn't FreeBSD using the
bleeding-edge OpenSSH?" there will be several on -stable, "I just did
an installworld on a remote machine, and I can't access it via SSH any
more." Creating the potential for problems like this in STABLE is
bad. For these reasons and others, it is often more practical to patch
security fixes in the FreeBSD tree than to import fixes (and other
changes that come with it) from the vendor.
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message