Couple of words about the OpenSSH mess: in my mind, this has brought home the necessity of full disclosure more than ever. It doesn’t matter if the software is Windows XP or an obscure daemon — full disclosure helps everyone evaluate the risks involved for themselves, and not leave them to trust others who have their own agendas to push.

I have a potato box that was particularly hard-hit by this (yes, I know I should probably not be running potato, but this is a machine where I need stability more than I need the latest and greatest, dammit). Debian normally backports all patches, and doesn’t introduce new features unless strictly necessary. Because of the ubiquity of OpenSSH and the (ahem!) unique characteristics of Theo de Raadt, they blinked and backported v3.3p1 as recommended, only to find when the advisory was released that they were not vulnerable all along! Personally, I think the best course of action for them now would be to go back to the original potato sshd.

Could any of this have been handled any better? After all, apart from scaring the shit out of everybody, the OpenSSH team — even Theo — did the correct thing. They released just enough information about the problem, and suggested a workaround (in classic Theo style, not the simplest one available), until they could release a patch (3.4) which mitigated the problem.

Maybe, just maybe, in future, teams maintaining software as ubiquitous as OpenSSH should probably interact a little more with vendors — especially ones like Debian, which try to be highly responsive to security threats. That would make things much smoother for users and the reputation of the people concerned.