Date: Mon, 30 Jan 2017 22:11:39 -0800 From: jungle boogie <jungleboogie0@gmail.com> To: Heasley <heas@shrubbery.net> Cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@des.no>, freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Message-ID: <b22572f7-a61d-5ad2-bd57-cf51e03797a2@gmail.com> In-Reply-To: <0A1A9F5A-0102-4FED-9B82-E081C29103AD@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <CAKE2PDsBWB65zN3hX=2%2BOoiXrK1W=TsMa6Ck5pnKGn=Dg0k69g@mail.gmail.com> <20170130222443.GL73060@shrubbery.net> <CAKE2PDu7yjfDLZt4O%2BF9k6GnF%2BFLCvXXfY=NkcS01iyyrofhmg@mail.gmail.com> <0A1A9F5A-0102-4FED-9B82-E081C29103AD@shrubbery.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/30/2017 09:36 PM, Heasley wrote: >>> whats wrong with providing a 7.4+v1 port for everyone to use? >> >> What will happen when 7.4 gets a vulnerability, then? I don't think >> you or I will be patching it (or anyone else) and therefore, the >> port/pkg will be knowingly vulnerable. >> >> Why do we want that? > > So you ate advocating telnet? Such a client is likely better still than telnet, which is the only alternative. > No, I've explained what I've advocated: compile 7.4 yourself and use if for your own needs. Having FreeBSD keep deprecated software around doesn't seem practical to me, and it seems this is also what FreeBSD security also believes. Sorry that you're working with legacy hardware. > Without a pkg, folks are forced to maintain it themselves. Which is more likely to receive less attention between now and EoS for v1? > > Dont make choices for or impose your rhetoric upon others, provide them the tools to make their choices. > Fact: I'm not imposing anything as I have no say in FreeBSD's security at all. FWIW, in May 2016 it the openssh team announced their intentions to disable ssh v1: http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-May/035069.html It also looks like they pushed the deprecation from June to August as well. Looks like ssh v1 was disabled at compile time in March 2015: http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-March/033701.html So unsurprisingly, it looks like they've communicated the desire to remove sshv1 for awhile.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b22572f7-a61d-5ad2-bd57-cf51e03797a2>