From owner-freebsd-security@freebsd.org Fri Feb 3 18:34:06 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02581CCFEBC for ; Fri, 3 Feb 2017 18:34:06 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from mail.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D695C1325 for ; Fri, 3 Feb 2017 18:34:05 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from ralph.baldwin.cx (c-73-231-226-104.hsd1.ca.comcast.net [73.231.226.104]) by mail.baldwin.cx (Postfix) with ESMTPSA id B366310A791; Fri, 3 Feb 2017 13:34:04 -0500 (EST) From: John Baldwin To: freebsd-security@freebsd.org Cc: heasley , Ian Smith Subject: Re: fbsd11 & sshv1 Date: Fri, 03 Feb 2017 10:33:49 -0800 Message-ID: <3966315.aWv9gWMYE6@ralph.baldwin.cx> User-Agent: KMail/4.14.10 (FreeBSD/11.0-STABLE; KDE/4.14.10; amd64; ; ) In-Reply-To: <20170203170452.GA40078@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <20170203143417.C33334@sola.nimnet.asn.au> <20170203170452.GA40078@shrubbery.net> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (mail.baldwin.cx); Fri, 03 Feb 2017 13:34:04 -0500 (EST) X-Virus-Scanned: clamav-milter 0.99.2 at mail.baldwin.cx X-Virus-Status: Clean X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2017 18:34:06 -0000 On Friday, February 03, 2017 05:04:52 PM heasley wrote: > Fri, Feb 03, 2017 at 03:13:44PM +1100, Ian Smith: > > Nobody 'forbids' you from making such a port, for your own use and/or > > for others. See Peter Jeremy's suggestion re where it might be placed > > and what sort of dire warnings it ought to announce; I expect SO and > > ports secteam would insist on nothing less. > > > > This differs from expecting|demanding|hoping somebody ELSE should do it. > > i've already explained why I think we (as in those needing it) building > our own is a worse security approach. Its also a bit silly for all those > folks to do it themselves; for the same reason that there are binary ports. > > i'll need to modify some code, but i'll try plink instead of maintaining > my own. until then, i've built my own v1 openssh client. I think Ian is suggesting that a port is possible so long as someone will agree to maintain it. That is, if you will create and maintain the port then there will be a centralized package for it. The only trick is that someone who cares about sshv1 and will use the resulting package needs to create and maintain the port. -- John Baldwin