On 11/03/2021 12:13, Florian Weimer wrote: > * Richard W. M. Jones: > >> I really hope we don't remove the ability to connect to old servers >> (eg. running RHEL 5). At the moment you have to opt-in by setting the >> crypto-policy to LEGACY and running update-crypto-policies(8), which >> is bearable. > > In the past (long, long ago), I had to enable Telnet on target devices > to work around incompatible cryptography policies. I hope we are not > going to return to that. Giving people an option to use broken crypto on-demand may appear reasonable at first glance. In practice, there are sites where people turn it on to meet a deadline or end a service outage and then they never go back to remove it. Nonetheless, all I'm really looking at in this thread is to parse what the OpenSSH releases say into specific advice for current and recent Fedora releases. A lot of media articles appeared about the issue and created a lot of attention but I don't feel any of those articles make it easy for every sysadmin to act or to really understand if there is a lingering problem in their host or data center. Search results about SHA1 reveal advice like this: https://access.redhat.com/discussions/3121481 but in the upstream thread, the OpenSSH developers pointed out it is not even relevant. Regards, Daniel _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
