From owner-svn-src-head@freebsd.org Sun Aug 7 21:11:38 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98E81BB1E41 for ; Sun, 7 Aug 2016 21:11:38 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f42.google.com (mail-lf0-f42.google.com [209.85.215.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1AD9312BA for ; Sun, 7 Aug 2016 21:11:37 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f42.google.com with SMTP id l69so234879010lfg.1 for ; Sun, 07 Aug 2016 14:11:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=BJ++VKbQBpKv3brKwEJPHWDEkN79xDUShGA8GQ1Up6w=; b=LwPWZO/8PqUNNJuCO3of3aILHhT/ofuyTHzs0MXLvlyeuGE61QZuyTdJrZqmUO21qk QR6e7bEsrtnNz1ttmYNrhgypoq+AkpIWOFr4FTllJDVm73DXQR2xjSsi52lAfG2VcN4U yWSAjYVVnKQyZZK/d1VsygKH/Rnl6+6MFNk0Ja2MyO8QVZxpB14CBZM3JC8k4jBwHPpz q7LFPU2jZgjclXPNFPtguZf//HdaqRXldQrH0sNHLf89tg8GR78jTggPv60mH0/7z5RT G87lTprrMYlNH8RaG2zc1KqJpZJXaIdn5OVu0dBf7pK3VnlLqSHXS+RHIGrwJUDQGZbW tUnw== X-Gm-Message-State: AEkoous5f8iLUVTl+bxP75B8UJdx58fIgLjzqa/kzdLArbyHVgvqJVO1awdUXSYgz88nmw== X-Received: by 10.25.15.84 with SMTP id e81mr23675322lfi.3.1470604295460; Sun, 07 Aug 2016 14:11:35 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id i80sm5118133lfg.6.2016.08.07.14.11.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Aug 2016 14:11:34 -0700 (PDT) Subject: Re: svn commit: r303716 - head/crypto/openssh To: Peter Jeremy References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> <20160807204039.GB79784@server.rulingia.com> Cc: Bruce Simpson , Oliver Pinter , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org From: Andrey Chernov Message-ID: Date: Mon, 8 Aug 2016 00:11:33 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160807204039.GB79784@server.rulingia.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n" X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2016 21:11:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n Content-Type: multipart/mixed; boundary="DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw" From: Andrey Chernov To: Peter Jeremy Cc: Bruce Simpson , Oliver Pinter , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-ID: Subject: Re: svn commit: r303716 - head/crypto/openssh References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> <20160807204039.GB79784@server.rulingia.com> In-Reply-To: <20160807204039.GB79784@server.rulingia.com> --DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 07.08.2016 23:40, Peter Jeremy wrote: > On 2016-Aug-07 15:25:54 +0300, Andrey Chernov wrote:= >> You should address your complains to original openssh author instead, = it >> was his decision to get rid of weak algos. >=20 > No. It's up to the person who imported the code into FreeBSD to unders= tand > why the change was made and to be able to justify it to the FreeBSD > community. Firstly, security is not absolute - it's always a cost-bene= fit > tradeoff and different communities may make different tradeoffs. Secon= dly, > the importer needs to be confident that the code is actually an improve= ment, > not an attempt by a bad actor to undermine security. It is pretty clear for everybody who interested in security why this change is made and why it is actually an improvement. Tuning it (or not) to different obsoleted environment and how to do it (if yes) is completely another question which, IMHO will be better resolved consulting with the author and not by mechanically restoring removed weak stuff with each new openssh release. >> In my personal opinion, if >> your hardware is outdated, just drop it out. >=20 > This is part of the cost-benefit analysis. Replacing hardware has a re= al > cost. If it's inside a datacentre, where the management LAN is isolate= d > from the rest of the world, there may be virtually no benefit to disabl= ing > "weak" ciphers. As I already say in this discussion twice, it is just my personal opinion and I am not insisting on it. Just ignore it if you like. > OTOH, FreeBSD has a documented deprecation process that says things wil= l > continue working for a major release after being formally deprecated. FreeBSD 11 is not released yet (betas are not counted), stable-10 too, so it is right time to deprecate for them. --DuUP55Chnn5sHuICVuLRK6Ts8tTioVprw-- --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJXp6QFAAoJEKUckv0MjfbKug4H/R9PT5JrMPjn3I5EQuSFPXDo Kv60LR67YdChWzlh3mzXch0Op2Rp7GBec+xtgS7ImivMCypcFceiRH9B3ApF9oOQ avHIQdrHy2wnp15dcEGJPVoRrMENPou3ON0Ww/sZEjkb4rPUmqcscKCuOG9gGudq VS5u34xjXCgGi/Zlrzk0Bg/hdgVHjp9SxiigrxkSoVOew8hj6FWCzsPws/j4UswN 7aSWXXqCItBxOnuWJfISLiMcW7nvnvxkKlQrYpHTaS7IGSZxyj7eenpQoTgp3ipW GTlJ3Gs3FjGtFEOcSAyr87kX/Kt4fVFg/N4eabLJZcpPaYHRvVqs52wZvl3aQU8= =tdOF -----END PGP SIGNATURE----- --aq5tQTJDQPqTVkuo3Idh06QWij5JJhC9n--