openssh unix dev - Jan 2018 - Legacy option for key length?

On 31/12/17 13:52, Peter Moody wrote:
>> By making it impossible for people to use SSH
> nb, it's not impossible to use opessh. it might not be possible to use
> a*modern*  openssh client to connect to an old, unpatched unmaintained
> (by the vendor) sshd. i'd argue that's not the client's fault.
Of course it's the client's fault.? The client worked, was changed, and 
thus stopped working.? The client wasn't faulty before, and the 
difference was that some people thought it would be a good idea to break 
compatibility with other standard-compliant software.? That's got to be 
the definition of "client's fault" (where "client" means
"the people who
modified the client".)

>> you are forcing people to use
>> less secure software; telnet because they can't use ssh;
> alternative interpretation. i'm less likely to buy from a vendor who
> has a history of not keeping their software patched. if everyone else
> is similarly inclined, vendors will quickly take note.
You're blaming the victim?? It's their fault for lacking prescience?
>> old, buggy versions
>> of ssh because that's what they had to install so that they could
connect to
>> their industrial equipment.
> I'd personally be more worried about the buggy sshd to which I'm
connecting.
By all means worry about that; but there's no suggestion that the 
server, in this case, is buggy.
> maintaining old code isn't free. if you need the old options, ssh1
> support, whatever, you should bear the cost of that yourself (by
> keeping an old copy around, or compiling it yourself when you need
> it). that cost shouldn't be borne by the openssh developers and not
> the ret of the community.
The developers fucked up.? They chose to expend effort breaking 
backwards compatibility when they didn't have to.? For the same effort 
they could have deprecated shorter keys without disallowing them.

But, by all means, force people to use old versions.? That's got to 
advance security, doesn't it?? Who knows, maybe you might even cause a 
fork.? Then there'd be openssh, which doesn't work with lots and lots of
stuff, and there'd be universalssh which works with everything, which 
has all of the latest goodness of openssh (because, why wouldn't it?) 
without any of the nastiness.? Then Debian and Red Hat would switch, and 
openssh would become an also-ran.? Not a terrible result for the world 
but a bad look for the core openssh developers.

On 31/12/17 16:17, David Newall wrote:
> The client wasn't faulty before, and the difference was that some
people
> thought it would be a good idea to break compatibility
Just to be crystal clear: this is the central problem with disallowing 
shorter keys: it needlessly breaks compatibility.

On Sat, Dec 30, 2017 at 9:47 PM, David Newall <openssh at davidnewall.com>
wrote:
> Of course it's the client's fault.  The client worked, was changed,
and thus
> stopped working.
don't upgrade your client. problem solved. you're at fault for not
pinning your dependencies when you have hard dependencies.
>> maintaining old code isn't free. if you need the old options, ssh1
>> support, whatever, you should bear the cost of that yourself (by
>> keeping an old copy around, or compiling it yourself when you need
>> it). that cost shouldn't be borne by the openssh developers and not
>> the ret of the community.
>
> The developers fucked up.
that thing, where your communication style gets in the way of any
valuable point you might otherwise be making, you're doing it again.

On 31/12/17 16:44, Peter Moody wrote:
> On Sat, Dec 30, 2017 at 9:47 PM, David Newall<openssh at
davidnewall.com>  wrote:
>> Of course it's the client's fault.  The client worked, was
changed, and thus
>> stopped working.
> don't upgrade your client. problem solved. you're at fault for not
> pinning your dependencies when you have hard dependencies.
Really?? A fractured user-base: that's what you want?? And you want to 
blame the victims?? People who don't discover that newer versions of 
openssh don't work for equipment which they rarely need to access are at 
fault for believing that what was promised would never be taken away?? 
Just leave them a little time bomb. Nice.? Very nice.