On Wed, Feb 06, 2002 at 08:23:10AM -0500, Michael Stone wrote: > On Thu, Feb 07, 2002 at 12:21:06AM +1100, Paul Hampson wrote: > > On Wed, Feb 06, 2002 at 08:11:44AM -0500, Anthony DeRobertis wrote: > > > I'd just worry that existing network audits will be thrown off > > > by changing the version. I _do_ think we should change the > > > version when we release a security fix, though. Or when we make > > > major changes (not sure if we do for ssh). > > > > That's pretty much it in a nutshell. > > Um. Just to clarify, this is *NOT* a change in the version number. It's > a change in the RFC-compliant *comment field*. Any scanner that's > confused by that has real issues, *especially* since the next version of > openssh will probably make that string a config file item. Ah, OK. I stand corrected then. And making it a config item also removes the intial poster's objection. Will the Debian version allow people to remove the Debian package version from the string, or just append their own comments to it? Note that the same string is used for example in the first line of sshd's output when run with an invalid parameter. I'd certainly suggest that the debugging logs and things certainly continue to identify Debian versions, since I'm sure the ssh team doesn't want bug reports about '-1/-2' against scp, when (I presume) that's something Debian's adding locally. (At least that's how I read the changelog) -- =========================================================== Paul "TBBle" Hampson, MCSE 4th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) Paul.Hampson@Anu.edu.au Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. This email is licensed to the recipient for non-commercial use, duplication and distribution. ===========================================================
Attachment:
pgpHlAiI6yDYq.pgp
Description: PGP signature