On Wed, Mar 25, 2015 at 11:45 AM, Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> wrote: > On Wed, 2015-03-25 at 18:48 +1100, Damien Miller wrote: >> Our ability to influence people who run truly obsolete software is >> extremely limited. > +1, mostly because those who still use something that outdated in their > products are either dead, or simply don't care about their customer's > security (which is typical in the embedded devices area). > Just by us (or anyone else) saying anything, that won't change. > >> The best we can do is deprecate as noisily as >> possible after extremely generous grace period. This is what we are >> doing > I think just deprecating is what has been done years ago - everyone can > by now truly know that SSH1 should not have been used since a long time. > > I'd even support if you really remove the v1 related code from the > codebase. Just deactivating it per default and affected people will > simply enable it again, without bothering to do their homework. > And even if 6.9 would really lack v1 support, people could still just > use anything <6.9 for v1 - they won't be less secure. Yanking it out wholesale should be part of a 7.0 build, not an incremental release. That's a major incompatibility with one heck of a lot of existing code, much of which is on extended support. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
