From owner-svn-src-head@freebsd.org  Sun Aug  7 22:48:50 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1D56BAD502;
 Sun,  7 Aug 2016 22:48:50 +0000 (UTC)
 (envelope-from delphij@delphij.net)
Received: from anubis.delphij.net (anubis.delphij.net
 [IPv6:2001:470:1:117::25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "anubis.delphij.net",
 Issuer "StartCom Class 1 DV Server CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 72D931CE2;
 Sun,  7 Aug 2016 22:48:50 +0000 (UTC)
 (envelope-from delphij@delphij.net)
Received: from Xins-MBP.home.us.delphij.net (unknown
 [IPv6:2601:646:8880:a197:bd5c:bf39:ad46:d68d])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by anubis.delphij.net (Postfix) with ESMTPSA id 7B2141C58C;
 Sun,  7 Aug 2016 15:48:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net;
 s=anubis; t=1470610129; x=1470624529;
 bh=Agf7F6VHC0knlli2KoRrcajsTmvP2DdMwpItinenRRk=;
 h=Subject:To:References:Cc:From:Date:In-Reply-To;
 b=yExgRrFCcQmtce9VfqfZ3rgLgiucU0MvvBsHLZpzM9lDdNWJhTeDLKXuvZOCZuAi1
 lKdlmxEUpQ116Kduv8SU2A6Bl/MFFAkR+DQIl8ulOEzt0MrsnKhzrTrYPgjKzxQ0bF
 TeNPhG2yb+iz4vtg+cQ8agkGdHUWcM/N02Joldi8=
Subject: Re: svn commit: r303716 - head/crypto/openssh
To: Warner Losh <wlosh@bsdimp.com>, Andrey Chernov <ache@freebsd.org>
References: <201608031608.u73G8Mjq055909@repo.freebsd.org>
 <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net>
 <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net>
 <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com>
 <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net>
 <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org>
 <20160807204039.GB79784@server.rulingia.com>
 <ab58ed22-7dd1-7b8d-fcc5-71def5936901@freebsd.org>
 <8371434C-86F6-4DCB-82D4-F236BBC2F9A2@bsdimp.com>
Cc: d@delphij.net, Peter Jeremy <peter@rulingia.com>,
 Bruce Simpson <bms@fastmail.net>,
 Oliver Pinter <oliver.pinter@hardenedbsd.org>,
 =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@freebsd.org>,
 src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org, FreeBSD Security Team <secteam@freebsd.org>,
 FreeBSD Release Engineering Team <re@freebsd.org>
From: Xin Li <delphij@delphij.net>
Message-ID: <226b9a3c-8ca8-af31-7665-86d51365fc81@delphij.net>
Date: Sun, 7 Aug 2016 15:48:44 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <8371434C-86F6-4DCB-82D4-F236BBC2F9A2@bsdimp.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="3d78VBmIxkAQRj73p1wlE1j1d2G4PgUvw"
X-Mailman-Approved-At: Mon, 08 Aug 2016 05:04:36 +0000
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Aug 2016 22:48:50 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3d78VBmIxkAQRj73p1wlE1j1d2G4PgUvw
Content-Type: multipart/mixed; boundary="jJTbphxxRs7DIQRLHkNT5rFT7Q8E05Rps"
From: Xin Li <delphij@delphij.net>
To: Warner Losh <wlosh@bsdimp.com>, Andrey Chernov <ache@freebsd.org>
Cc: d@delphij.net, Peter Jeremy <peter@rulingia.com>,
 Bruce Simpson <bms@fastmail.net>,
 Oliver Pinter <oliver.pinter@hardenedbsd.org>,
 =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= <des@freebsd.org>,
 src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org, FreeBSD Security Team <secteam@freebsd.org>,
 FreeBSD Release Engineering Team <re@freebsd.org>
Message-ID: <226b9a3c-8ca8-af31-7665-86d51365fc81@delphij.net>
Subject: Re: svn commit: r303716 - head/crypto/openssh
References: <201608031608.u73G8Mjq055909@repo.freebsd.org>
 <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net>
 <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net>
 <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com>
 <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net>
 <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org>
 <20160807204039.GB79784@server.rulingia.com>
 <ab58ed22-7dd1-7b8d-fcc5-71def5936901@freebsd.org>
 <8371434C-86F6-4DCB-82D4-F236BBC2F9A2@bsdimp.com>
In-Reply-To: <8371434C-86F6-4DCB-82D4-F236BBC2F9A2@bsdimp.com>

--jJTbphxxRs7DIQRLHkNT5rFT7Q8E05Rps
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable



On 8/7/16 14:20, Warner Losh wrote:
>=20
>> On Aug 7, 2016, at 3:11 PM, Andrey Chernov <ache@freebsd.org> wrote:
>>
>>> OTOH, FreeBSD has a documented deprecation process that says things w=
ill
>>> continue working for a major release after being formally deprecated.=

>>
>> FreeBSD 11 is not released yet (betas are not counted), stable-10 too,=

>> so it is right time to deprecate for them.
>=20
> Nice try, but feature freeze was months ago. Have you got buy in from t=
he
> security officer and the release engineer?

Well, despite the fact that I have to admit that I get locked out from
my own storage box too, however (even without wearing any hat) I am for
the change and would blame myself for being lazy in adopting the change
when the upstream have announced it earlier about a year ago.

Compatibility with legacy software/hardware, sure, but if we don't stop
at some point, it would be like SSL 2.0 which people have pointed out
several flaws in 1995 and take 16 years to get deprecated and still bite
people in 2014.

We should do something like what OpenSSH have done by creating a page
describing the motivation, the impact, the temporary but discouraged
workaround, etc., and mention it in the release notes to prevent people
from being bite.

Cheers,


--jJTbphxxRs7DIQRLHkNT5rFT7Q8E05Rps--

--3d78VBmIxkAQRj73p1wlE1j1d2G4PgUvw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXp7rQAAoJEJW2GBstM+nsbgwQAIHa97OqlQAaqGr9sSqyQ6wf
+CLA9pVIVxbU5A6IT4UWI4wOtIaBWygERVb1pe+68hvGHWnb9Sg7tZwBNISDyhzg
o9Mk5aiAna0PXIO6cHwkVpVVgpzRVUSoHlLP5Az7377vnB0q6M2kO1C3O6Bf8w9q
8Tb3UlrX58cQVGO6WglzV/O3eh1lCVaLEh4lSFsjpz8qC3XkhXYdNy4yM65ARUuc
g3BxjUWfPHbjBRaMViTo5jf5zdfYAeed5GS2ux4F1WjRTmiUw+qhxraha8NqBOTI
ciMC6884aBL/Dc0/klcB4L24Jkw0h8cpNx77LIo6NLtboiflzBsL4y5OTA4gwsXD
Igaxa5c3PvXJDIjljj4PEobT2AVgfzzjYcVG0vodzJu62Oc8C5Z0VLEz3aJkSihy
OrIs4K7rv1xeuttc884b2Ui2ChJ2nmbX6rcYjZRc0WKgwa247kXHtRuc+GDfrcEV
XAx8VOwES24Z1GV3JkGfYHhap/Lr4sb4ECBpxGtR2D7jKSvVh/f6htTDaOrbARFr
Ghln4nEB2l6ONoVcPNEJ4iunz4lKpTovyVmu7MNawmAw3so5i6UqV6oRvOBdV+zz
feHaujnjrFIez5SA6MvW1nqHz7GoGTGPuafcSP18vi5p+LsaS0ZXfNAItifI4dbr
ShzVnSq4KYxLNk02GTrt
=T6rm
-----END PGP SIGNATURE-----

--3d78VBmIxkAQRj73p1wlE1j1d2G4PgUvw--