Date: Mon, 8 Aug 2016 00:11:33 +0300 From: Andrey Chernov <ache@freebsd.org> To: Peter Jeremy <peter@rulingia.com> Cc: Bruce Simpson <bms@fastmail.net>, Oliver Pinter <oliver.pinter@hardenedbsd.org>, =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r303716 - head/crypto/openssh Message-ID: <ab58ed22-7dd1-7b8d-fcc5-71def5936901@freebsd.org> In-Reply-To: <20160807204039.GB79784@server.rulingia.com> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com> <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> <20160807204039.GB79784@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n Content-Type: multipart/mixed; boundary="DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw" From: Andrey Chernov <ache@freebsd.org> To: Peter Jeremy <peter@rulingia.com> Cc: Bruce Simpson <bms@fastmail.net>, Oliver Pinter <oliver.pinter@hardenedbsd.org>, =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-ID: <ab58ed22-7dd1-7b8d-fcc5-71def5936901@freebsd.org> Subject: Re: svn commit: r303716 - head/crypto/openssh References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com> <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> <20160807204039.GB79784@server.rulingia.com> In-Reply-To: <20160807204039.GB79784@server.rulingia.com> --DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 07.08.2016 23:40, Peter Jeremy wrote: > On 2016-Aug-07 15:25:54 +0300, Andrey Chernov <ache@freebsd.org> wrote:= >> You should address your complains to original openssh author instead, = it >> was his decision to get rid of weak algos. >=20 > No. It's up to the person who imported the code into FreeBSD to unders= tand > why the change was made and to be able to justify it to the FreeBSD > community. Firstly, security is not absolute - it's always a cost-bene= fit > tradeoff and different communities may make different tradeoffs. Secon= dly, > the importer needs to be confident that the code is actually an improve= ment, > not an attempt by a bad actor to undermine security. It is pretty clear for everybody who interested in security why this change is made and why it is actually an improvement. Tuning it (or not) to different obsoleted environment and how to do it (if yes) is completely another question which, IMHO will be better resolved consulting with the author and not by mechanically restoring removed weak stuff with each new openssh release. >> In my personal opinion, if >> your hardware is outdated, just drop it out. >=20 > This is part of the cost-benefit analysis. Replacing hardware has a re= al > cost. If it's inside a datacentre, where the management LAN is isolate= d > from the rest of the world, there may be virtually no benefit to disabl= ing > "weak" ciphers. As I already say in this discussion twice, it is just my personal opinion and I am not insisting on it. Just ignore it if you like. > OTOH, FreeBSD has a documented deprecation process that says things wil= l > continue working for a major release after being formally deprecated. FreeBSD 11 is not released yet (betas are not counted), stable-10 too, so it is right time to deprecate for them. --DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw-- --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJXp6QFAAoJEKUckv0MjfbKug4H/R9PT5JrMPjn3I5EQuSFPXDo Kv60LR67YdChWzlh3mzXch0Op2Rp7GBec+xtgS7ImivMCypcFceiRH9B3ApF9oOQ avHIQdrHy2wnp15dcEGJPVoRrMENPou3ON0Ww/sZEjkb4rPUmqcscKCuOG9gGudq VS5u34xjXCgGi/Zlrzk0Bg/hdgVHjp9SxiigrxkSoVOew8hj6FWCzsPws/j4UswN 7aSWXXqCItBxOnuWJfISLiMcW7nvnvxkKlQrYpHTaS7IGSZxyj7eenpQoTgp3ipW GTlJ3Gs3FjGtFEOcSAyr87kX/Kt4fVFg/N4eabLJZcpPaYHRvVqs52wZvl3aQU8= =tdOF -----END PGP SIGNATURE----- --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ab58ed22-7dd1-7b8d-fcc5-71def5936901>