Hi Thanks for Xpra, it is very useful. This is just a short comment/request, nothing urgent or new. A while ago, I noticed Xpra started using paramiko by default. Ok, I thought, what is paramiko? I looked it up and find it is a python implementation of SSH. I checked its security history, and find it has had some severe CVE's in recent years. Without digging in further, it doesn't look like a good security history compared to OpenSSH, which I use regularly for internet-facing server and client on Linux. So the request is for Xpra in the future to never drop the ability to use OpenSSH directly (such as using "--ssh=ssh"). It is ok for OpenSSH to not be the default, just an available option. Thanks
There is no plan to drop openssh support.
As for the security of paramiko, it is nowhere near as bad as you make it sound. Here's the full list of CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-17787/product_id-44430/Paramiko-Paramiko.html. There are only 2 in total, none in the last 18 months, and none that affects paramiko when used as a client library.
Thanks for the info.
Is paramiko used in Xpra on the server-side?
Is paramiko used in Xpra on the server-side?
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2790