(Also, assume the sandbox doesn't exist when you decide what build people should upgrade to.) On Wed, Mar 25, 2015 at 12:54 AM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote: > Protocols and ciphers are sunsetted all the time, this is a regular thing, > but there are announcements before breaking changes are inserted. You > assume people are slow to update anyway; some are, some aren't, what you're > doing is wildly rewarding the slow updaters and punishing the fast ones. > That has negative effects elsewhere. > > What would it hurt to announce the release in 3-6 months will drop SSHv1 > to a compile time option, and that people should be running (for example) > at least OpenSSH 5.9x? You've got vendor class authority here, tell people > what you want and give them some time to implement your directive. The > alternative is they eventually trace back why some random critical system > failed to this very thread and are like, yeah, never blindly push *that* > guy's code... > > > On Wed, Mar 25, 2015 at 12:48 AM, Damien Miller <djm@xxxxxxxxxxx> wrote: > >> On Tue, 24 Mar 2015, Dan Kaminsky wrote: >> >> BTW you didn't respond to this. IMO it is the essence of the problem: >> >> > > At this point, I don't think any further discussion is going to >> > > make any difference. Do you think another two years would make an >> > > appreciable change to the numbers you posted above, beyond old >> > > hardware literally dying of old age? >> >> Our ability to influence people who run truly obsolete software is >> extremely limited. The best we can do is deprecate as noisily as >> possible after extremely generous grace period. This is what we are >> doing >> >> -d >> > > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
