From nobody Tue Apr 15 18:41:09 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZcY041V9gz5tbtX for ; Tue, 15 Apr 2025 18:41:24 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-il1-f176.google.com (mail-il1-f176.google.com [209.85.166.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZcY033h07z43vr for ; Tue, 15 Apr 2025 18:41:23 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.166.176 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com Received: by mail-il1-f176.google.com with SMTP id e9e14a558f8ab-3cf82bd380bso48303365ab.0 for ; Tue, 15 Apr 2025 11:41:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744742482; x=1745347282; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hJk7u/DCBNhYF+YW8C2/rOw6zZvCYe4wbtgpCVNIFE0=; b=NJalaWDkqkxDEABC+6WU/lyapMiOYEbmo88czo22JkNzM+Ez2T/GTvC9Zkc3nAck92 vzff2G/0LoEvA91xgCNFyNei/4SIC+z/K94kXAfopNxooclqI0x7Dc1iQKtBAFpsE+uO LTVYZPdS/VaeL97azL3msBcjtK1cnd/NdhXIsfPZrDirV5rxvmB3Ob8Kd2NCkK4JLeyB tOOcoy9fsCNMu1dDmZ49cCymKXZso83HuVAn3FVD/99UH0WQh3D1pX225I80EhULQHXU JsmTiAOUOSxjLXmOtH1vAoouKARI7uhSG/OQ2oQ0Ruwqmk8dCvTxXEmcTCtAt3qmpObC xQFA== X-Forwarded-Encrypted: i=1; AJvYcCWcTsnLRMUodNcCSJGGhajsI+LFaTHDQhg2Z58nrEXxJQdOP/F40C1jv0AcZVEpXpjf73Xq3Po/dkLk6KYNmFih@freebsd.org X-Gm-Message-State: AOJu0YzyE2fDkuZZZjIZXpowbb9lNngXB0zVIjQ6a+GUTRL3p5Pso6Hl p0uQpECoRUAd66vPMEspRw4NYt4bMl/LJaA9w/v51dltVFne8B3C2fLB4lbCn1XsCcJ31g4Qrk4 Hjivkq0LRXw1PYDq1cHVk03B0LaPHGA== X-Gm-Gg: ASbGnct8TXyQz5HaETwfS5zNgmkLF/qizrrVZI9Qvk2VEXx4Gf6DDeoa8zrGuW7CTs5 mPHoNPTWj67fIHH8LnYslRfztUvYVZvL8LxKHAsCbiF6idG/P1uUTnRs9wCFLqc/hoxCH/DaPDV NQSoq0poeNmnof+Cv18xmqZpmYNOzfCISwGZsvzFF0T1+75fRghZQcx7bK X-Google-Smtp-Source: AGHT+IEgA3cdN9czJrqIToZz0Uohopq+HNzcVynN3FE0XpmDmen7OSEkI4n8VI+lls/zCb4BU/rayygQPeoHzoXhI4Y= X-Received: by 2002:a05:6e02:19c9:b0:3d5:eb14:9c85 with SMTP id e9e14a558f8ab-3d8124e08d8mr4167605ab.6.1744742481991; Tue, 15 Apr 2025 11:41:21 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: <76933d66-eff5-4d43-a7a6-98a153e71d77@rlwinm.de> <1a1ceefc-ed0b-4602-b250-2a407dd7dbd1@mtasv.net> In-Reply-To: <1a1ceefc-ed0b-4602-b250-2a407dd7dbd1@mtasv.net> From: Ed Maste Date: Tue, 15 Apr 2025 14:41:09 -0400 X-Gm-Features: ATxdqUHMABpRN2GkeH3yBfe9NUBBBrswldxXvbcr-L3SmPOj7Rs_1NYfoAFR95Y Message-ID: Subject: Re: Heads-up: DSA key support being removed from OpenSSH To: Dr Jim Allen Cc: "Bjoern A. Zeeb" , freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [2.34 / 15.00]; NEURAL_SPAM_MEDIUM(0.99)[0.990]; NEURAL_SPAM_LONG(0.96)[0.964]; NEURAL_HAM_SHORT(-0.51)[-0.512]; RBL_SENDERSCORE_REPUT_7(0.50)[209.85.166.176:from]; FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; BAD_REP_POLICIES(0.10)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com]; ARC_NA(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[209.85.166.176:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.166.176:from]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_ALLOW(0.00)[+ip4:209.85.128.0/17]; FREEFALL_USER(0.00)[carpeddiem]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; MISSING_XM_UA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZcY033h07z43vr X-Spamd-Bar: ++ On Thu, 10 Apr 2025 at 19:21, Dr Jim Allen wrote: > > > Two things. > > a) Why remove the build config option? > I know the code is being removed at some point, but until it is, why not > leave it as a option (defaulted off)? There's no user-facing interface to run upstream's configure script as part of the FreeBSD build system, so enabling DSA in the FreeBSD base system already required having a patched tree. Committing this removal now has no user-facing impact, but means that we can separately decide what to merge to stable branches: in particular, it is possible for us to merge 10.0p2 to stable branches with DSA support still present.