We can be a little louder than release notes. It's probably a little sketchy to just warn people against 5.x with all the backporting of security fixes going on. It'd be nice to say the specific CVE's or patchsets you'd like people to be sure they're running. As you say, there's some nasty capability out there. And after all these years, there's a lot of trust in you, and OpenSSH. It's well earned. It's a good time to be doing this shift. A lot of crypto is being sunsetted. Just recommending a bit more awareness first. On Wed, Mar 25, 2015 at 1:10 AM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Wed, 25 Mar 2015, Dan Kaminsky wrote: > > > What would it hurt to announce the release in 3-6 months will drop > > SSHv1 to a compile time option > > We did exactly that in the last release. See what I mean about nobody > reading the release notes? > > > The alternative is they eventually trace back why some random critical > > system failed to this very thread and are like, yeah, never blindly > > push *that* guy's code... > > I hope nobody ever blindly pushes my code. > > -d > > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
