Re: FYI: SSH1 now disabled at compile-time by default

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



(Also, assume the sandbox doesn't exist when you decide what build people
should upgrade to.)

On Wed, Mar 25, 2015 at 12:54 AM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote:

> Protocols and ciphers are sunsetted all the time, this is a regular thing,
> but there are announcements before breaking changes are inserted.  You
> assume people are slow to update anyway; some are, some aren't, what you're
> doing is wildly rewarding the slow updaters and punishing the fast ones.
> That has negative effects elsewhere.
>
> What would it hurt to announce the release in 3-6 months will drop SSHv1
> to a compile time option, and that people should be running (for example)
> at least OpenSSH 5.9x?  You've got vendor class authority here, tell people
> what you want and give them some time to implement your directive.  The
> alternative is they eventually trace back why some random critical system
> failed to this very thread and are like, yeah, never blindly push *that*
> guy's code...
>
>
> On Wed, Mar 25, 2015 at 12:48 AM, Damien Miller <djm@xxxxxxxxxxx> wrote:
>
>> On Tue, 24 Mar 2015, Dan Kaminsky wrote:
>>
>> BTW you didn't respond to this. IMO it is the essence of the problem:
>>
>> > > At this point, I don't think any further discussion is going to
>> > > make any difference. Do you think another two years would make an
>> > > appreciable change to the numbers you posted above, beyond old
>> > > hardware literally dying of old age?
>>
>> Our ability to influence people who run truly obsolete software is
>> extremely limited. The best we can do is deprecate as noisily as
>> possible after extremely generous grace period. This is what we are
>> doing
>>
>> -d
>>
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux