[raggi]

I've been enough in the SSH code to be somewhat terrified by it. The main server loop has so many nested macro conditionals it's exceptionally difficult to read precisely.

That said, fail2ban had an RCE in the last year, so if we're considering trustworthy surfaces, I definitely agree and practice that I trust openssh a whole lot more than a lot of other software that may come up in the discussion.

[tptacek]

qmail has one of the most notoriously inscrutable codebases of all time, and it has a startlingly good track record, because there's a coherent security design behind it; the same --- to a greater extent! --- goes for OpenSSH.

[raggi]

There's a side of this that I agree with, however there's other sides.

The reason I've been in the code base a bunch is because I've taken on support of forks bootstrapped by others in various scenarios.

Design safety goes a fairly long way, but it's so easy to screw up patching code shaped this way. I might trust the core, but I don't trust external patches.

The problem in practice is, distros can't help themselves.

[tptacek]

I wouldn't trust external patches to OpenSSH either.

[Eduard]

Maybe qmail and SSH have their good track record because of security by inscrutability