On Thu, Mar 11, 2021 at 03:50:57PM +0100, Daniel Pocock wrote: > > > On 11/03/2021 12:13, Florian Weimer wrote: > > * Richard W. M. Jones: > > > >> I really hope we don't remove the ability to connect to old servers > >> (eg. running RHEL 5). At the moment you have to opt-in by setting the > >> crypto-policy to LEGACY and running update-crypto-policies(8), which > >> is bearable. > > > > In the past (long, long ago), I had to enable Telnet on target devices > > to work around incompatible cryptography policies. I hope we are not > > going to return to that. > > Giving people an option to use broken crypto on-demand may appear > reasonable at first glance. In practice, there are sites where people > turn it on to meet a deadline or end a service outage and then they > never go back to remove it. Yeah. ;( However, a command line version might be ok... at least then it's pretty clear what you are doing and you want it to go away so you don't have to type as much. :) > Nonetheless, all I'm really looking at in this thread is to parse what > the OpenSSH releases say into specific advice for current and recent > Fedora releases. I think we will need to wait for the openssh maintainers here. Ultimately it's their call how much we diverge from upstream, but I suspect the answer will be 'as little as possible'. :) kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
