On Wed, 2015-03-25 at 18:48 +1100, Damien Miller wrote: > Our ability to influence people who run truly obsolete software is > extremely limited. +1, mostly because those who still use something that outdated in their products are either dead, or simply don't care about their customer's security (which is typical in the embedded devices area). Just by us (or anyone else) saying anything, that won't change. > The best we can do is deprecate as noisily as > possible after extremely generous grace period. This is what we are > doing I think just deprecating is what has been done years ago - everyone can by now truly know that SSH1 should not have been used since a long time. I'd even support if you really remove the v1 related code from the codebase. Just deactivating it per default and affected people will simply enable it again, without bothering to do their homework. And even if 6.9 would really lack v1 support, people could still just use anything <6.9 for v1 - they won't be less secure. :) Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev