Displayed version is not updated for 2023-10 release since 2022-08

[vt-alt]

This can be confusing for users to see what actual vision is installed.

# ssh -V
OpenSSH_8.9-2022-01_p1, Open Quantum Safe 2022-08, OpenSSL 3.1.4 24 Oct 2023

See https://github.com/open-quantum-safe/openssh/blob/OQS-v8/version.h

[baentsch]

Thanks for the report. This is an erroneous omission in the release even though documented.

@dstebila @praveksharma Do we want to retain oqs-openssh as a maintained project or shall we declare it "unmaintained" much like liboqs-java or completely "sunset" like oqs-openssl111 given v8 seems really far distant from the upstream by now? If we maintain it, I'd think we should have an assigned maintainer. Next question along the same lines: Why do we have two more-or-less active branches (OQS-v8 and OQS-v9)? Conceptually, v9 sounds more recent, but we don't seem to release it: May I ask why?

[dstebila]

I've made PR #153 to fix the version number.#148

@dstebila @praveksharma Do we want to retain oqs-openssh as a maintained project or shall we declare it "unmaintained" much like liboqs-java or completely "sunset" like oqs-openssl111 given v8 seems really far distant from the upstream by now? If we maintain it, I'd think we should have an assigned maintainer. Next question along the same lines: Why do we have two more-or-less active branches (OQS-v8 and OQS-v9)? Conceptually, v9 sounds more recent, but we don't seem to release it: May I ask why?

When Pravek was doing the update a few months ago, he misunderstood what OQS-vX meant, not realizing that v8 refers to us tracking OpenSSH v8. So the OQS-v9 branch was created in error; I've now deleted it.

We are far behind OpenSSH main now. I don't know the scale of work needed to update to main. But if we don't want to do that and don't have someone willing to maintain it, then we should consider deprecating this project: there are security issues being fixed in OpenSSH that we are lacking (e.g., the recent Terrapin cryptographic attack).

[vt-alt]

We build openquantumsafe-openssh in ALT so I backported fixes for CVE-2023-48795, CVE-2023-51384, CVE-2023-51385 since release 2023-10. So this sort of unmaintanability is not a big problem for downstreams. But it seems, Open Quantum Safe OpenSSH did not become popular among other distributions yet. I would like if you continue to maintain and update to v9 though.

that we are lacking (e.g., the recent Terrapin cryptographic attack).

By the way, OpenSSH upstream considers this attack to be of low importance: "While cryptographically novel, there is no discernable impact on the integrity of SSH traffic beyond giving the attacker the ability to delete the message that enables some features related to keystroke timing obfuscation."

[baentsch]

So the OQS-v9 branch was created in error; I've now deleted it.

Thanks for the explanation & fix. I do second the thought of "demoting" oqs-openssh though unless we find an enthusiastic maintainer. At the very least there should be a warning at the top of the README.md. Another noteworthy fact: This project fails CI since 2 months and no-one noticed/cared...

[bsodmike]

Hi all - obvious question but why is this project "inactive"? I see maintainers from AWS etc?

Thanks

[baentsch]

I see maintainers from AWS

Could you please point to where you see those maintainers?

[dstebila]

Closing this issue as it related to our deprecated OQS-v8 branch