On Mon, Jan 9, 2023 at 9:03 PM Konstantin Olchanski <[log in to unmask]> wrote:
>
> On Mon, Jan 09, 2023 at 08:04:19PM -0500, Nico Kadel-Garcia wrote:
> >
> > ... you can validate the source tarballs and review any patches and the .spec file.
> >
>
> no, I cannot validate and review this. I am not clever enough. Could never figure out
> even obfuscated C contest puzzles, forget about cyberwarefare malicious exploit codes.
> I looked at the stuff a few times, just for kicks. Yes, beyound my ken.

OpenBSD publishes their GPG signatures for their OpenSSH tarballs. If
you can't validate the tarball... that kind of step is broadly
published. If you can't find or do that, and can't read the PAM config
files.... you probably shouldn't be building your own version of
OpenSSH. The intermediate version of OpenSSH will still be vulnerable
to any vulnerables published since that release, but it's old enough
to be successfully compiled on RHEL 6 based operating systems The
contemporary releas of OpenSSH is not easily compiled on SL 6, I
checked.