On 2025/09/03 05:16, Rene Malmgren wrote:> As promised, I have made an update on my post, I realized I forgot to post it. > > /Rene > > https://againstallflags.wordpress.com/2025/08/24/update-on-regresshion/ > [https://s0.wp.com/i/blank.jpg]<https://againstallflags.wordpress.com/2025/08/24/update-on-regresshion/> > Update on RegreSSHion<https://againstallflags.wordpress.com/2025/08/24/update-on-regresshion/> > A few days ago, I published a blog post where I outlined my findings from research into CVE-2024-6387, along with questions about whether it was safe to continue using OpenSSH by OpenBSD in the fut? > againstallflags.wordpress.com| "Decommission and replace" stands, not because of proven malice, but | because malice cant be ruled out, along with systemic issues, | questionable processes, and disregard for user safety. As you're proposing replacement, what would you recommend is used instead?
For others: TL;DR waffle-waffle-sloth-devs-idiots-adding-log-line-numbers-yellow-warning-nothing-proposed-just-waffling-waffles> On 03 Sep 2025, at 12:09, Stuart Henderson <stu at spacehopper.org> wrote: > > As you're proposing replacement, what would you recommend is used > instead?This guy is still slandering the OpenSSH team, and after my 30years of IT experience, this old fart is calling this youth's bluff and that he suffers from delusions of grandeur If he at least started up a decent website, register a proper domain, pay for proper hosting/website using proper secured software for a website rather than a cheap wordpress.com site (and wordpress?s lack of security history doesn?t bade well for his grandiose stance) he is just trying to gain ?street creds"? no contact information/etc. to show who he is and what his credentials are to track see whether there are any truth or value in his statements? this is just barking. Please ignore until - I?ll now put on Pink Floyd?s 1987 album on the turn table
I did link to Dropbear in my latest post, but I would not say that Dropbear is a good replacement for every use case. It depends a lot on what you are doing. Now from my perspective I would say that there is demand for a better version of SSH on the market, since almost every developer uses it, and its use everywhere, including airports, banks, crypto exchanges and so on. Obviously, I would not recommend anybody working with digital assets to classify OpenSSH as a secure system in their workflow, you have to be totally mad. Would you put 1000 BTC on a system and have OpenSSH as a frontline software to protect it? Would you accept software from a company that does it? /Rene ________________________________ From: Stuart Henderson <stu at spacehopper.org> Sent: Wednesday, September 3, 2025 2:09 PM To: Rene Malmgren <rene.malmgren at redtoken.ae> Cc: openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org> Subject: Re: Update on RegreSSHion On 2025/09/03 05:16, Rene Malmgren wrote:> As promised, I have made an update on my post, I realized I forgot to post it. > > /Rene > > https://againstallflags.wordpress.com/2025/08/24/update-on-regresshion/ > [https://s0.wp.com/i/blank.jpg]<https://againstallflags.wordpress.com/2025/08/24/update-on-regresshion/> > Update on RegreSSHion<https://againstallflags.wordpress.com/2025/08/24/update-on-regresshion/> > A few days ago, I published a blog post where I outlined my findings from research into CVE-2024-6387, along with questions about whether it was safe to continue using OpenSSH by OpenBSD in the fut? > againstallflags.wordpress.com| "Decommission and replace" stands, not because of proven malice, but | because malice cant be ruled out, along with systemic issues, | questionable processes, and disregard for user safety. As you're proposing replacement, what would you recommend is used instead?