From owner-svn-src-all@freebsd.org Sun Aug 7 21:11:38 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7BA17BB1E3F for ; Sun, 7 Aug 2016 21:11:38 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f52.google.com (mail-lf0-f52.google.com [209.85.215.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EFA1912B9 for ; Sun, 7 Aug 2016 21:11:37 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f52.google.com with SMTP id b199so235361455lfe.0 for ; Sun, 07 Aug 2016 14:11:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=BJ++VKbQBpKv3brKwEJPHWDEkN79xDUShGA8GQ1Up6w=; b=jHTR9SX4qcHqYoEhfk5FvFzKFYCCubLyEb2pDly2Pb9PrJtCHTySYbMBP7IiOYm8DE /N8QlQfTYsqWip/Dtlkv7EQA+cdYMAYmJQh2zxaVMxsAQIJtj/hiV3XbvlnSkUPrVU47 SVzktv4ri5FIRlhnFDE1TTHSSmwpbCH+YZwzeKi+Zs7CYhzbyZrBv/b5UqVpX8hLFwKp Grnp+k/jLCsOtu68FJ6xzUzINY+YRflvet/n27ZcNncCl0gPmr6Ne60HkEddPWJVLVs3 1tjerpGpInw1PTgoVDne0uoPJkhqaZ4u045jw5SJ0+tsobsrwA0zgGbF6rpikwteX2Un dwwQ== X-Gm-Message-State: AEkoouviIwSQDBlmgpQb4ZmzvgobI+OScvrZq4ZRr52o6igp7WdxEnEneUvrU2RxlqF1Yw== X-Received: by 10.25.15.84 with SMTP id e81mr23675322lfi.3.1470604295460; Sun, 07 Aug 2016 14:11:35 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id i80sm5118133lfg.6.2016.08.07.14.11.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Aug 2016 14:11:34 -0700 (PDT) Subject: Re: svn commit: r303716 - head/crypto/openssh To: Peter Jeremy References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> <20160807204039.GB79784@server.rulingia.com> Cc: Bruce Simpson , Oliver Pinter , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org From: Andrey Chernov Message-ID: Date: Mon, 8 Aug 2016 00:11:33 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160807204039.GB79784@server.rulingia.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n" X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 21:11:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n Content-Type: multipart/mixed; boundary="DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw" From: Andrey Chernov To: Peter Jeremy Cc: Bruce Simpson , Oliver Pinter , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-ID: Subject: Re: svn commit: r303716 - head/crypto/openssh References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> <20160807204039.GB79784@server.rulingia.com> In-Reply-To: <20160807204039.GB79784@server.rulingia.com> --DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 07.08.2016 23:40, Peter Jeremy wrote: > On 2016-Aug-07 15:25:54 +0300, Andrey Chernov wrote:= >> You should address your complains to original openssh author instead, = it >> was his decision to get rid of weak algos. >=20 > No. It's up to the person who imported the code into FreeBSD to unders= tand > why the change was made and to be able to justify it to the FreeBSD > community. Firstly, security is not absolute - it's always a cost-bene= fit > tradeoff and different communities may make different tradeoffs. Secon= dly, > the importer needs to be confident that the code is actually an improve= ment, > not an attempt by a bad actor to undermine security. It is pretty clear for everybody who interested in security why this change is made and why it is actually an improvement. Tuning it (or not) to different obsoleted environment and how to do it (if yes) is completely another question which, IMHO will be better resolved consulting with the author and not by mechanically restoring removed weak stuff with each new openssh release. >> In my personal opinion, if >> your hardware is outdated, just drop it out. >=20 > This is part of the cost-benefit analysis. Replacing hardware has a re= al > cost. If it's inside a datacentre, where the management LAN is isolate= d > from the rest of the world, there may be virtually no benefit to disabl= ing > "weak" ciphers. As I already say in this discussion twice, it is just my personal opinion and I am not insisting on it. Just ignore it if you like. > OTOH, FreeBSD has a documented deprecation process that says things wil= l > continue working for a major release after being formally deprecated. FreeBSD 11 is not released yet (betas are not counted), stable-10 too, so it is right time to deprecate for them. --DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw-- --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJXp6QFAAoJEKUckv0MjfbKug4H/R9PT5JrMPjn3I5EQuSFPXDo Kv60LR67YdChWzlh3mzXch0Op2Rp7GBec+xtgS7ImivMCypcFceiRH9B3ApF9oOQ avHIQdrHy2wnp15dcEGJPVoRrMENPou3ON0Ww/sZEjkb4rPUmqcscKCuOG9gGudq VS5u34xjXCgGi/Zlrzk0Bg/hdgVHjp9SxiigrxkSoVOew8hj6FWCzsPws/j4UswN 7aSWXXqCItBxOnuWJfISLiMcW7nvnvxkKlQrYpHTaS7IGSZxyj7eenpQoTgp3ipW GTlJ3Gs3FjGtFEOcSAyr87kX/Kt4fVFg/N4eabLJZcpPaYHRvVqs52wZvl3aQU8= =tdOF -----END PGP SIGNATURE----- --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n--