From nobody Mon Oct  7 17:39:06 2024
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XMmc859D4z5YTNV
	for <freebsd-arch@mlmmj.nyi.freebsd.org>; Mon, 07 Oct 2024 17:39:20 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Received: from mail-il1-f180.google.com (mail-il1-f180.google.com [209.85.166.180])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XMmc66n1gz4kjD;
	Mon,  7 Oct 2024 17:39:18 +0000 (UTC)
	(envelope-from carpeddiem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.180 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none)
Received: by mail-il1-f180.google.com with SMTP id e9e14a558f8ab-3a33a6c3102so13635635ab.0;
        Mon, 07 Oct 2024 10:39:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728322758; x=1728927558;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JE6TSv8+Dn/pDqTG3ZxxB2/W7MpfZoZPtxxT3cTUz5g=;
        b=BE1wSac6eum7YtJiYYqlz2FBOavoeYtGsChx92jfBQGvqtPNn3kYmz9gihD3yg7diL
         HbLLsYZLAOBG4dlExIfJ8MFOWg5sGE/65zGcAAr0ZJM4u3UgPMmfZOvDSxBpUMLeWUBZ
         DY4mtMHKmntlzotQEnJ8DpRMmqTVRloSxOgPa5RJ9sxVlUfUwoDIreWM5enN+oLS2XRR
         0Y22rCt4Gi2pt8BgVPoRp2ZoI+a5FbUo8AGAQqikTN/L+NJyBIWOtkuOjaaRrrYhu8Nm
         aTArqNIK+B5cke4Byr7+h0dYfOQvF3D8QeEA2bUY0LsdqMmGga9CesXLVxMvDs1gJtHc
         3Lwg==
X-Forwarded-Encrypted: i=1; AJvYcCVDb+0R4PjxnQlBw20b2eysXcC6CEcvfhva5o6H9X6ybfsBpkvs8mgEYv3UnFu5P4gF7VdKKdgB@freebsd.org, AJvYcCWR+a/+RKxBCLBI3mMNZk1LN2v1msyDXaq8WXARH6sAJcsJaqgxJvWmj6wwZ0UO1r2Y53r/6w==@freebsd.org
X-Gm-Message-State: AOJu0YwnBfu1a2N50uPQYY4PKKCWsBwcyr80kiw2fQfuQMqXhN/D8lox
	VFCaDApGCUisZnYlqns88er9BLel40Qxwqr4FCSpLqSz5MhRBCEmIlW1d41rSKCjdSrwF85pimf
	SYW6jBnOPFHKLIDXZyOvLaORUgsimrg==
X-Google-Smtp-Source: AGHT+IFvaI8GIhFLhlgbszx8lWWO1Wy4qq1HTYgEeg7zO/0jj0abpeTrzFvbptWJlFDhLpaTu2TjpDtBnpDks0DFQ3s=
X-Received: by 2002:a05:6e02:1d84:b0:3a3:637f:1012 with SMTP id
 e9e14a558f8ab-3a38af7899bmr3246125ab.12.1728322757996; Mon, 07 Oct 2024
 10:39:17 -0700 (PDT)
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@FreeBSD.org
MIME-Version: 1.0
References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com>
 <CAPyFy2DgNNfrL-qPYSjeoyo7LErVU9AAhfc7EkFZiQp6Ykhq+Q@mail.gmail.com> <010001923494fd7e-4bc86dba-6c22-4367-b76d-de1799f18f80-000000@email.amazonses.com>
In-Reply-To: <010001923494fd7e-4bc86dba-6c22-4367-b76d-de1799f18f80-000000@email.amazonses.com>
From: Ed Maste <emaste@freebsd.org>
Date: Mon, 7 Oct 2024 13:39:06 -0400
Message-ID: <CAPyFy2BC-r2bhSB4W84hJm4=wur5zrbD1emz8nHLcNMTcZ+rGg@mail.gmail.com>
Subject: Re: Deprecating RSA ssh host keys in 16
To: Colin Percival <cperciva@tarsnap.com>
Cc: freebsd-arch@freebsd.org, Li-Wen Hsu <lwhsu@freebsd.org>, 
	Ronald Klop <ronald@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Spamd-Result: default: False [-2.01 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-0.94)[-0.936];
	FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com];
	R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
	NEURAL_HAM_SHORT(-0.17)[-0.172];
	MIME_GOOD(-0.10)[text/plain];
	DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none];
	TO_DN_SOME(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	RCVD_COUNT_ONE(0.00)[1];
	FREEFALL_USER(0.00)[carpeddiem];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
	RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.180:from];
	RCVD_IN_DNSWL_NONE(0.00)[209.85.166.180:from];
	R_DKIM_NA(0.00)[];
	FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com];
	FROM_HAS_DN(0.00)[];
	MISSING_XM_UA(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	ARC_NA(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org];
	RCPT_COUNT_THREE(0.00)[4]
X-Rspamd-Queue-Id: 4XMmc66n1gz4kjD
X-Spamd-Bar: --

On Fri, 27 Sept 2024 at 13:43, Colin Percival <cperciva@tarsnap.com> wrote:
>
> Wearing my EC2 maintainer hat: *In cloud environments* this is important
> enough to diverge from normal practice; but the first-boot-key-generation
> time is not relevant outside of clouds.

We should probably make the same change to GCE, Azure, and Oracle
cloud images too, no?

From nobody Tue Oct  8 00:36:45 2024
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XMxsq0pb1z5Ygx7
	for <freebsd-arch@mlmmj.nyi.freebsd.org>; Tue, 08 Oct 2024 00:36:47 +0000 (UTC)
	(envelope-from 01000192698e97f0-0a1a42b2-41cb-4cd6-bd65-93a6b8dbf6fd-000000@amazonses.com)
Received: from a8-52.smtp-out.amazonses.com (a8-52.smtp-out.amazonses.com [54.240.8.52])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XMxsp4Ylzz47YW
	for <freebsd-arch@freebsd.org>; Tue,  8 Oct 2024 00:36:46 +0000 (UTC)
	(envelope-from 01000192698e97f0-0a1a42b2-41cb-4cd6-bd65-93a6b8dbf6fd-000000@amazonses.com)
Authentication-Results: mx1.freebsd.org;
	none
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=dqtolf56kk3wpt62c3jnwboqvr7iedax; d=tarsnap.com; t=1728347805;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding;
	bh=5CZxaq4WzPNhqfPgLw7yFpAmUqdgSSrVX4TRF3et5uk=;
	b=Jt3Ye9hjbig81VkptJWzZ7QR54b2Ls01ABy3Cj0OSAHh6r8jL+Np/JwThr4ZvD+V
	Hw671LWmw0MYBCNEgH4VEyYuckhX4WnACbSg1T1DtgulOAWzrb4PGzeso8wpENUwMp3
	+ubp1VQigzn9WEtpMnFd9VUWBPXfnVDXTHyvxXb8=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1728347805;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID;
	bh=5CZxaq4WzPNhqfPgLw7yFpAmUqdgSSrVX4TRF3et5uk=;
	b=eUe6MY/VzqWluDTaLkiQtbEcg0T/9AOvbirFoN1SXtuq+emvMkKgo50K3ro/4QBN
	+G6AmvpYJ0kR3wfsseEK02qYdfoxAiZI+Dykm8wsHoGC7ySgnLkMOG3G+tqh8SU2h9q
	1NYCHErL4ya23GC329Qxyx2yBrlmbR2QNquFC1iQ=
Message-ID: <01000192698e97f0-0a1a42b2-41cb-4cd6-bd65-93a6b8dbf6fd-000000@email.amazonses.com>
Date: Tue, 8 Oct 2024 00:36:45 +0000
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Deprecating RSA ssh host keys in 16
To: Ed Maste <emaste@freebsd.org>
Cc: freebsd-arch@freebsd.org, Li-Wen Hsu <lwhsu@freebsd.org>, 
	Ronald Klop <ronald@freebsd.org>
References: <0100019225563885-e7f0aed8-cff8-4247-8bcd-861aed3e5cc7-000000@email.amazonses.com>
 <CAPyFy2DgNNfrL-qPYSjeoyo7LErVU9AAhfc7EkFZiQp6Ykhq+Q@mail.gmail.com>
 <010001923494fd7e-4bc86dba-6c22-4367-b76d-de1799f18f80-000000@email.amazonses.com>
 <CAPyFy2BC-r2bhSB4W84hJm4=wur5zrbD1emz8nHLcNMTcZ+rGg@mail.gmail.com>
Content-Language: en-US
From: Colin Percival <cperciva@tarsnap.com>
In-Reply-To: <CAPyFy2BC-r2bhSB4W84hJm4=wur5zrbD1emz8nHLcNMTcZ+rGg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Feedback-ID: ::1.us-east-1.Lv9FVjaNvvR5llaqfLoOVbo2VxOELl7cjN0AOyXnPlk=:AmazonSES
X-SES-Outgoing: 2024.10.08-54.240.8.52
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:14618, ipnet:54.240.8.0/21, country:US]
X-Rspamd-Queue-Id: 4XMxsp4Ylzz47YW
X-Spamd-Bar: ----

On 10/7/24 10:39, Ed Maste wrote:
> On Fri, 27 Sept 2024 at 13:43, Colin Percival <cperciva@tarsnap.com> wrote:
>> Wearing my EC2 maintainer hat: *In cloud environments* this is important
>> enough to diverge from normal practice; but the first-boot-key-generation
>> time is not relevant outside of clouds.
> 
> We should probably make the same change to GCE, Azure, and Oracle
> cloud images too, no?

Probably yes.  I was waiting a few weeks to make sure this didn't cause
any problems in EC2 before I suggested making the change elsewhere.

(Also, I have a policy of not touching non-EC2 cloud code simply because
I have lots of Amazon NDAs and don't want to accidentally leak something.
But there are other developers who can make this change.)

Colin Percival