#16911: git-core requiring macports' ssh on leopard, openssh security concern ---------------------------------+------------------------------------------ Reporter: bcbarnes@gmail.com | Owner: macports-tickets@lists.macosforge.org Type: defect | Status: new Priority: Normal | Milestone: Port Bugs Component: ports | Version: 1.6.0 Resolution: | Keywords: Port: | ---------------------------------+------------------------------------------ Comment(by blb@macports.org): Replying to [comment:4 bcbarnes@…]:
Well, if you google for openssh client vulnerabilities, there are several thousand links to sort through, but here is a recent example: http://www.ubuntu.com/usn/usn-612-2 the famous RNG problem with debian and ubuntu openssh. That's applicable here because if a similar problem existed for macports' ssh, well, the first thing I did after installing git-core was run ssh-keygen, which was run by the macports binary by default.
Note that MacPorts doesn't think we can do better than the original authors of software, so there won't be any functionality-based patches in MacPorts like what Debian did. The vast majority of patches applied are to get it either to work with MacPorts' prefix and to build in the first place. openssh is in fact one that has a few more patches, but these are two-fold: one is a "high-performance" patch which comes from psc.edu and only if you specifically select it with the +hpn variant; the other is a patch to get ssh to work better with Apple's launchd/DISPLAY functionality, and this patch comes from Apple.
There are other older examples of ssh client problems with X11, ssh- agent, and other issues. And who knows what lies in the future? The point is, a security-critical utility is being overrode by macports without warning, or need. If macports disappeared one day, I would have degraded security, thinking that OS X patches of ssh would be helping me, when in fact they would not. Think about the average user who doesn't know to check their path or the trac...
Very true about the future, you never know with software, but this applies regardless of your source; MacPorts is usually quite fast in updating ports to the latest version (popular ports are updated in hours or days when the new version is available upstream), so security issues fixed upstream are fixed here quickly. -- Ticket URL: <http://trac.macports.org/ticket/16911#comment:6> MacPorts <http://www.macports.org/> Ports system for Mac OS