I would like to add a few things, if I may.
> Many vendors have integrated OpenSSH into their operating systems or
> devices and quite a few of these proudly list the secure management
> ability that OpenSSH provides as a major feature in their marketing
> material - something which translates directly to product sales.
These vendors include:
Sun Apple IBM HP Cisco Netgear RedHat SuSe
most operating system vendors except Microsoft
nearly other major network equipment manufacturer
(but many other vendors too)
These vendors have never given us even a dime. (To put it more
clearly, IBM loaned one developer a machine to make sure that OpenSSH
would run better on it, but they INSISTED on it being a loan instead
of just giving it to the developer).
I heard a story once that Sun talked to SSH.COM about getting their
SSH product incorporated into Solaris, and were quoted either $1
million or $2.5 per year for a license. (Someone from Sun can correct
me on this figure when they come help us). Sun instead incorporated
OpenSSH into Solaris. Now that's all fine and dandy, but if Sun saved
so much money why don't they help us out a little bit, so that we can
make OpenSSH even better?
The same applies to the other vendors listed above. We have saved
them perhaps tens of millions of dollars (I am sure this is not an
exageration, for EACH vendor), yet everytime we have tried to contact
them to ask for some assistance we have always been given the
run-around, the conversation has died out, and then amounted to
nothing. We have contacted most of these vendors multiple times.
Some of the user community may have been around long enough to know
how things have historically went with BIND or Sendmail, other
infrastructure products that had no assistance from vendors. Sendmail
went semi-commercial and is so poorly maintained that it still has
holes in it (how timely), and if my information is correct BIND9
development was largely funded by a few European non-profits, on a
pitance of a grant. Meanwhile, the GPL'd variants of such software
products like this are still avoided by vendors. So they only want to
take, take, take.
I know we cannot be the only people who think this is ridiculous. And
it has to change, otherwise I think we will feel compelled to change
the way that we work with vendors. We have had discussions about other
options we have already, but we hope that the vendor community does
the responsible thing.
> This is an opportunity for these vendors to give somthing back. For
> a relatively tiny amount of money, you can help ensure that OpenSSH
> continues to extend its functionality and proactively improve security.
> If you are interested, please email myself, Markus Friedl and/or Theo de
> Raadt:
>
> - Damien Miller <djm at openbsd.org>
> - Markus Friedl <markus at openbsd.org>
> - Theo de Raadt <deraadt at openbsd.org>
>
> If you work for a vendor who uses or has integrated OpenSSH, please
> consider this request and forward it to anyone else in your organisation
> who is able to assist.
>
> Thanks,
> Damien Miller
As a side note, earlier today IBM Support actually sent an energy
company with whom they have a multi-million support contract to our
private development mailing list saying we had to fix a customer bug.
I was shown an extensive set of IBM support emails with the customer
where they were refusing to take responsibility for the issue, and
finally told their customer that OpenSSH was responsible for fixing
their problem. I say shame you, IBM, SHAME ON YOU. You take their
money and want us to make your customers happy.