svn commit: r303716 - head/crypto/openssh

Andrey Chernov ache at freebsd.org
Sun Aug 7 21:11:38 UTC 2016


On 07.08.2016 23:40, Peter Jeremy wrote:
> On 2016-Aug-07 15:25:54 +0300, Andrey Chernov <ache at freebsd.org> wrote:
>> You should address your complains to original openssh author instead, it
>> was his decision to get rid of weak algos.
> 
> No.  It's up to the person who imported the code into FreeBSD to understand
> why the change was made and to be able to justify it to the FreeBSD
> community.  Firstly, security is not absolute - it's always a cost-benefit
> tradeoff and different communities may make different tradeoffs.  Secondly,
> the importer needs to be confident that the code is actually an improvement,
> not an attempt by a bad actor to undermine security.

It is pretty clear for everybody who interested in security why this
change is made and why it is actually an improvement. Tuning it (or not)
to different obsoleted environment and how to do it (if yes) is
completely another question which, IMHO will be better resolved
consulting with the author and not by mechanically restoring removed
weak stuff with each new openssh release.

>> In my personal opinion, if
>> your hardware is outdated, just drop it out.
> 
> This is part of the cost-benefit analysis.  Replacing hardware has a real
> cost.  If it's inside a datacentre, where the management LAN is isolated
> from the rest of the world, there may be virtually no benefit to disabling
> "weak" ciphers.

As I already say in this discussion twice, it is just my personal
opinion and I am not insisting on it. Just ignore it if you like.

> OTOH, FreeBSD has a documented deprecation process that says things will
> continue working for a major release after being formally deprecated.

FreeBSD 11 is not released yet (betas are not counted), stable-10 too,
so it is right time to deprecate for them.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20160808/36fb3198/attachment.sig>


More information about the svn-src-head mailing list