-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Displayed version is not updated for 2023-10 release since 2022-08 #152
Comments
Thanks for the report. This is an erroneous omission in the release even though documented. @dstebila @praveksharma Do we want to retain |
I've made PR #153 to fix the version number.#148
When Pravek was doing the update a few months ago, he misunderstood what OQS-vX meant, not realizing that v8 refers to us tracking OpenSSH v8. So the OQS-v9 branch was created in error; I've now deleted it. We are far behind OpenSSH main now. I don't know the scale of work needed to update to main. But if we don't want to do that and don't have someone willing to maintain it, then we should consider deprecating this project: there are security issues being fixed in OpenSSH that we are lacking (e.g., the recent Terrapin cryptographic attack). |
We build openquantumsafe-openssh in ALT so I backported fixes for CVE-2023-48795, CVE-2023-51384, CVE-2023-51385 since release 2023-10. So this sort of unmaintanability is not a big problem for downstreams.
By the way, OpenSSH upstream considers this attack to be of low importance: "While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation." |
Thanks for the explanation & fix. I do second the thought of "demoting" |
Hi all - obvious question but why is this project "inactive"? I see maintainers from AWS etc? Thanks |
Could you please point to where you see those maintainers? |
Closing this issue as it related to our deprecated |
This can be confusing for users to see what actual vision is installed.
See https://github.com/open-quantum-safe/openssh/blob/OQS-v8/version.h
The text was updated successfully, but these errors were encountered: