On Mon, 2019-07-15 at 16:08 -0500, Joseph Reynolds wrote: > On 7/15/19 3:58 PM, Adrian Bunk wrote: > > On Mon, Jul 15, 2019 at 03:38:57PM -0500, Joseph Reynolds wrote: > > > Enhances dropbear with a new feature "disable-weak-ciphers", on > > > by default. > > > This feature disables all CBC, SHA1, and diffie-hellman group1 > > > ciphers in > > > the dropbear ssh server and client. > > > > > > Disable this feature if you need to connect to the ssh server > > > from older > > > clients. Additional customization can be done with > > > local_options.h as usual. > > > ... > > Changing the default behaviour in a stable series does not sound > > appropriate to me. > > Although this patch is for security, it is a config change and not a > fix. I understand if you don't want to add it to a release branch, > and I am am okay with that. I just want to know one way or the > other. > If this is the answer, we'll put the patch into our downstream > project (github.com/openbmc/openbmc branch=warrior) ... waiting for > more opinions ....
Whilst I understand the rationale behind this, our policy for stable branches is clear, we shouldn't change behaviour there unless its for a significant security issue. This is more prevention rather than a known large issue. So unless I hear strong support for adding it, I think we probably just move forward with it in master. The patch is here if anyone does want it. (Armin as the stable branch maintainer does also have a say in this, I'm not sure what his opinion is). Cheers, Richard -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
