From owner-freebsd-security@freebsd.org Sat Feb 4 04:19:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 653F7CD0DD4 for ; Sat, 4 Feb 2017 04:19:27 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp9.server.rpi.edu (smtp9.server.rpi.edu [128.113.2.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "canit.localdomain", Issuer "canit.localdomain" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 351931C2C for ; Sat, 4 Feb 2017 04:19:26 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp-auth3.server.rpi.edu (route.canit.rpi.edu [128.113.2.233]) by smtp9.server.rpi.edu (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v144JKCo010025 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 3 Feb 2017 23:19:21 -0500 Received: from smtp-auth3.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth3.server.rpi.edu (Postfix) with ESMTP id 6E12F58069; Fri, 3 Feb 2017 23:19:20 -0500 (EST) Received: from [128.113.24.47] (gilead-qc124.netel.rpi.edu [128.113.124.17]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: drosih) by smtp-auth3.server.rpi.edu (Postfix) with ESMTPSA id 5E6DE58006; Fri, 3 Feb 2017 23:19:20 -0500 (EST) From: "Garance A Drosehn" To: heasley Cc: freebsd-security@freebsd.org Subject: Re: fbsd11 & sshv1 Date: Fri, 03 Feb 2017 23:19:19 -0500 Message-ID: <54709047-AA32-47F2-8B2A-25524A2C2669@rpi.edu> In-Reply-To: <20170203170452.GA40078@shrubbery.net> References: <20170127173016.GF12175@shrubbery.net> <867f5c66yr.fsf@desk.des.no> <20170130195226.GD73060@shrubbery.net> <867f5bfmde.fsf@desk.des.no> <20170131201722.GH11924@shrubbery.net> <86y3xqdxox.fsf@desk.des.no> <20170203005331.GG8381@shrubbery.net> <20170203143417.C33334@sola.nimnet.asn.au> <20170203170452.GA40078@shrubbery.net> MIME-Version: 1.0 X-Mailer: MailMate (1.9.6r5319) X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: 1.00 (*) [Hold at 10.10] PIPE_OBFUSCATION:1 X-CanIt-Incident-Id: 02SEsjknj X-CanIt-Geo: ip=128.113.124.17; country=US; region=New York; city=Troy; latitude=42.7495; longitude=-73.5951; http://maps.google.com/maps?q=42.7495,-73.5951&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.229 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Feb 2017 04:19:27 -0000 On 3 Feb 2017, at 12:04, heasley wrote: > Fri, Feb 03, 2017 at 03:13:44PM +1100, Ian Smith: >> Nobody 'forbids' you from making such a port, for your own use and/or >> for others. See Peter Jeremy's suggestion re where it might be placed >> and what sort of dire warnings it ought to announce; I expect SO and >> ports secteam would insist on nothing less. >> >> This differs from expecting|demanding|hoping somebody ELSE should do it. > > i've already explained why I think we (as in those needing it) building > our own is a worse security approach. Its also a bit silly for all > those folks to do it themselves; for the same reason that there are > binary ports. It is a perfectly reasonable idea to have a "net/ssh1" port in the official FreeBSD port collection, along the lines as Peter Jeremy suggested. We're not saying that each user should be forced to create their own. But if there is an official port in the FreeBSD ports collection, then it needs to be maintained by someone who actually cares about 'ssh1'. For instance, I suspect I could *create* such a port, but there is absolutely nothing that I (personally) need 'ssh1' for. Therefore I would never *use* the port, which means that the port would not really be supported. This isn't a good result for anyone. Even though you might *think* you're happy with the initial port, you might be pretty upset if it breaks after one month and I tell you that I have no time to fix it. At that point you'll be mad at me, personally, and I'm not likely to be happy with you, either. That's what we'd like to avoid. -- Garance Alistair Drosehn = drosih@rpi.edu Senior Systems Programmer or gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA