Migrate from the dumpster fire that is OpenSSH #86
Assignees
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Over-complicated project recognized as critical infrastructure which is riddled with Quality Assurance + Code Quality issues and apparently culture of being a developer for hire to implement a zero-day on demand disguised as a "honest mistake" as reviewing the regreSSHion[1] vulnerability seems very unlikely to not be intentional, the issue was present in previous releases, it seems well known to all OpenSSH developers and has a numberous comments all around the relevant codeblock to highlight that it shouldn't be changed as it's security vulnerability and yet it still made it INTO THE FUCKING RELEASE.
And i am sick and tired trying to manage any kind of unforseen and unknown problems as there are only so many layers that i can cover and in terms of Dr. Reason's Swiss Cheese i believe that we here:
Thus sooner we replace this dumpster fire of a software the better as there is a vulnerability waiting to happen that will hit us hard.
Candidates
LibreSSH
TBD -- https://www.libressl.org/
RuSSH
TBD -- https://github.com/warp-tech/russh
TruSSH
TBD -- https://nest.pijul.com/pijul/thrussh
Apache Mina
TBD -- https://github.com/apache/mina
Dropbear SSH
TBD -- https://matt.ucc.asn.au/dropbear/dropbear.html
Teleport
Candidate?
TBD -- https://goteleport.com/
WolfSSH
TBD -- https://www.wolfssl.com/products/wolfssh/
Other?
Sanity Check
Are these vulnerabilities discovered and disclosed, because OpenSSH is considered a critical infrastructure so that there are paid security researchers looking through the codebase looking for these issues or is that actually lack of Quality Assurance as it seems to be?
The text was updated successfully, but these errors were encountered: