Re: FYI: SSH1 now disabled at compile-time by default

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, Mar 25, 2015 at 11:45 AM, Christoph Anton Mitterer
<calestyo@xxxxxxxxxxxx> wrote:
> On Wed, 2015-03-25 at 18:48 +1100, Damien Miller wrote:
>> Our ability to influence people who run truly obsolete software is
>> extremely limited.
> +1, mostly because those who still use something that outdated in their
> products are either dead, or simply don't care about their customer's
> security (which is typical in the embedded devices area).
> Just by us (or anyone else) saying anything, that won't change.
>
>> The best we can do is deprecate as noisily as
>> possible after extremely generous grace period. This is what we are
>> doing
> I think just deprecating is what has been done years ago - everyone can
> by now truly know that SSH1 should not have been used since a long time.
>
> I'd even support if you really remove the v1 related code from the
> codebase. Just deactivating it per default and affected people will
> simply enable it again, without bothering to do their homework.
> And even if 6.9 would really lack v1 support, people could still just
> use anything <6.9  for v1 - they won't be less secure.

Yanking it out wholesale should be part of a 7.0 build, not an
incremental release. That's a major incompatibility with one heck of a
lot of existing code, much of which is on extended support.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux