On Tue, Dec 16, 2025 at 2:35 AM Tobias Leupold <[email protected]> wrote:
> E-Mail von Sune Vuorela vom Montag, 15. Dezember 2025, 13:55: > > On 2025-12-15, Tobias Leupold <[email protected]> wrote: > > > as of recently, I get the following warning when communicating with > > > invent.kde.org: > > > > > > $ git pull > > > ** WARNING: connection is not using a post-quantum key exchange > > > algorithm. > > > ** This session may be vulnerable to "store now, decrypt later" > > > attacks. > > > ** The server may need to be upgraded. See > https://openssh.com/pq.html > > > > > > Should we do something about this? > > > > We should probably at some point, but luckily we don't really do secret > > things on invent. > > Well, that's the "I have nothing to hide" attitude that makes people use > WhatsApp ... > > > Also, https://kawaiicon.org/talks/quantum-cryptanalysis/ and > > http://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf > > A critical reader might consider this a rant ;-) > > > /Sune > > No hard feelings, I just thought the OpenSSH guys probably know what > they're > talking about. Also, I don't get such a warning when connecting to the > other > servers I use, so I simply wondered what's up here and why. > We had some older "secure at the time" recommendations deployed on invent.kde.org that came from Mozilla, which resulted in some algorithms being enabled that don't meet those standards. While still well within distribution support, Invent is a little older and doesn't support the very latest ciphers, etc - but i've modernised it as best as possible based on feedback from ssh-audit now. Proper fix will need to wait for it to migrate to a newer system which should take place in the next few months. Thanks, Ben
