Trojaned OpenSSH (in 2002) — OpenBSD's supply-chain security incident
Summary
A detailed retrospective of OpenBSD OpenSSH 3.2.2p1 and 3.4 trojaned archives (July 2002) with a backdoor in bf-test.c, the rapid OpenBSD advisory, forensics, and the organizational changes implemented to harden the supply chain and development workflow. It highlights how a compromised account and misdirected mirrors led to a near-catastrophic security incident, and the post-incident enhancements to verification, signing, and process controls.