Protocols and ciphers are sunsetted all the time, this is a regular thing, but there are announcements before breaking changes are inserted. You assume people are slow to update anyway; some are, some aren't, what you're doing is wildly rewarding the slow updaters and punishing the fast ones. That has negative effects elsewhere. What would it hurt to announce the release in 3-6 months will drop SSHv1 to a compile time option, and that people should be running (for example) at least OpenSSH 5.9x? You've got vendor class authority here, tell people what you want and give them some time to implement your directive. The alternative is they eventually trace back why some random critical system failed to this very thread and are like, yeah, never blindly push *that* guy's code... On Wed, Mar 25, 2015 at 12:48 AM, Damien Miller <djm at mindrot.org> wrote:> On Tue, 24 Mar 2015, Dan Kaminsky wrote: > > BTW you didn't respond to this. IMO it is the essence of the problem: > > > > At this point, I don't think any further discussion is going to > > > make any difference. Do you think another two years would make an > > > appreciable change to the numbers you posted above, beyond old > > > hardware literally dying of old age? > > Our ability to influence people who run truly obsolete software is > extremely limited. The best we can do is deprecate as noisily as > possible after extremely generous grace period. This is what we are > doing > > -d >
(Also, assume the sandbox doesn't exist when you decide what build people should upgrade to.) On Wed, Mar 25, 2015 at 12:54 AM, Dan Kaminsky <dan at doxpara.com> wrote:> Protocols and ciphers are sunsetted all the time, this is a regular thing, > but there are announcements before breaking changes are inserted. You > assume people are slow to update anyway; some are, some aren't, what you're > doing is wildly rewarding the slow updaters and punishing the fast ones. > That has negative effects elsewhere. > > What would it hurt to announce the release in 3-6 months will drop SSHv1 > to a compile time option, and that people should be running (for example) > at least OpenSSH 5.9x? You've got vendor class authority here, tell people > what you want and give them some time to implement your directive. The > alternative is they eventually trace back why some random critical system > failed to this very thread and are like, yeah, never blindly push *that* > guy's code... > > > On Wed, Mar 25, 2015 at 12:48 AM, Damien Miller <djm at mindrot.org> wrote: > >> On Tue, 24 Mar 2015, Dan Kaminsky wrote: >> >> BTW you didn't respond to this. IMO it is the essence of the problem: >> >> > > At this point, I don't think any further discussion is going to >> > > make any difference. Do you think another two years would make an >> > > appreciable change to the numbers you posted above, beyond old >> > > hardware literally dying of old age? >> >> Our ability to influence people who run truly obsolete software is >> extremely limited. The best we can do is deprecate as noisily as >> possible after extremely generous grace period. This is what we are >> doing >> >> -d >> > >
On Wed, 25 Mar 2015, Dan Kaminsky wrote:> What would it hurt to announce the release in 3-6 months will drop > SSHv1 to a compile time optionWe did exactly that in the last release. See what I mean about nobody reading the release notes?> The alternative is they eventually trace back why some random critical > system failed to this very thread and are like, yeah, never blindly > push *that* guy's code...I hope nobody ever blindly pushes my code. -d
We can be a little louder than release notes. It's probably a little sketchy to just warn people against 5.x with all the backporting of security fixes going on. It'd be nice to say the specific CVE's or patchsets you'd like people to be sure they're running. As you say, there's some nasty capability out there. And after all these years, there's a lot of trust in you, and OpenSSH. It's well earned. It's a good time to be doing this shift. A lot of crypto is being sunsetted. Just recommending a bit more awareness first. On Wed, Mar 25, 2015 at 1:10 AM, Damien Miller <djm at mindrot.org> wrote:> On Wed, 25 Mar 2015, Dan Kaminsky wrote: > > > What would it hurt to announce the release in 3-6 months will drop > > SSHv1 to a compile time option > > We did exactly that in the last release. See what I mean about nobody > reading the release notes? > > > The alternative is they eventually trace back why some random critical > > system failed to this very thread and are like, yeah, never blindly > > push *that* guy's code... > > I hope nobody ever blindly pushes my code. > > -d > >