IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Implementation-hazards list [was Re: Fixing exchange of host keys in the SSH key exchange]



>>> For the most recent example, an older version of a popular library
>>> used to have the "maximum channel packet size" concept completely
>>> borked up.  For a channel opened by the remote party, this library
>>> would overwrite its own maximum packet size with the remote one.
>> It seems like every implementer has stories like this, but no-one
>> can really mention them in public because you don't want to
>> embarrass a particular vendor...

Well, in many cases.  I, for example, am not at all chary about naming
OpenSSH as the implementation whose misfeature prompted me to add
-share-number to moussh (even the moussh manpage does so), and I'd name
the vendor of the devices whose implementation crashed when given
string@domianname extensions if I remembered it (and were sure I
rememebred it right).  But I can certainly understand at least a few of
the reasons not everyone is as willing as I am to do that.

However...

>> would there be any interest in having a private list of email
>> addresses of people to exchange information like this with?

...I don't see any need to name-and-shame on such a list.  It's the
misbehaviour, not whose implementation exhbits it, that matters for
implementation purposes.

There might perhaps be value in an implementation with options to make
it exhibit various kinds of misbehaviour, for testing against.  (I'm
tempted to turn moussh into such a one, but now is not a good time for
me to be taking on more timesinks.)

> That sounds like a good idea. I would be interested to follow and
> participate.

Me too.

> The obstacle seems to be getting people together.  Those of us
> whoâ??ve been around for 15 years may be on this mailing list.  Iâ??m
> not sure if this is true for authors of newer implementations, who
> might benefit from this information most.

I'm not sure either.  Perhaps if the list were archived and the
archives were up somewhere on the Web, the new crowd who expects
everything to be Web this and Web that might be able to find it?

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B



Home | Main Index | Thread Index | Old Index