[svlug] OpenSSH source may be trojaned, unless...

Bruce O. Benson benson at tux.org
Thu Aug 1 13:33:51 PDT 2002


On Thu, 1 Aug 2002, Drew Bertola wrote:

> That's the silliest conclusion I've ever read on this list, specially
> from a security SIG co-chair.  Running Debian has nothing to do with
> being OK.  Think about it first.

See my other post, but that's a conclusion you're making, not me.  I made a
statement of fact, regardless of what you read into it afterwards.  I stated
a single condition of sufficiency for safety based on what I had at hand.
No statement including or excluding any other distro was made, not to
diminish any of those fine software products by my exclusion.

I don't mind finding out who will rabidly grab the gasoline after projecting
their own conclusions into my statements, so thanks for the (additional)
datapoint.

> Let's say Sue runs Debian, but she just downloaded, built, and
> installed the trojaned openssh.  Is she ok?

"apt-get install source ssh" retrieves safe non-trojaned OpenSSH source.  So
yes, Sue's OK.


BB.
-- 
Bruce O. Benson, Co-Chair,
NovaLUG Security SIG.
mailto:benson at tux.org  |  http://novalug.tux.org




More information about the svlug mailing list