On 07.08.2016 23:40, Peter Jeremy wrote: > On 2016-Aug-07 15:25:54 +0300, Andrey Chernov <a...@freebsd.org> wrote: >> You should address your complains to original openssh author instead, it >> was his decision to get rid of weak algos. > > No. It's up to the person who imported the code into FreeBSD to understand > why the change was made and to be able to justify it to the FreeBSD > community. Firstly, security is not absolute - it's always a cost-benefit > tradeoff and different communities may make different tradeoffs. Secondly, > the importer needs to be confident that the code is actually an improvement, > not an attempt by a bad actor to undermine security.
It is pretty clear for everybody who interested in security why this change is made and why it is actually an improvement. Tuning it (or not) to different obsoleted environment and how to do it (if yes) is completely another question which, IMHO will be better resolved consulting with the author and not by mechanically restoring removed weak stuff with each new openssh release. >> In my personal opinion, if >> your hardware is outdated, just drop it out. > > This is part of the cost-benefit analysis. Replacing hardware has a real > cost. If it's inside a datacentre, where the management LAN is isolated > from the rest of the world, there may be virtually no benefit to disabling > "weak" ciphers. As I already say in this discussion twice, it is just my personal opinion and I am not insisting on it. Just ignore it if you like. > OTOH, FreeBSD has a documented deprecation process that says things will > continue working for a major release after being formally deprecated. FreeBSD 11 is not released yet (betas are not counted), stable-10 too, so it is right time to deprecate for them.
signature.asc
Description: OpenPGP digital signature
