On Thu, Mar 26, 2015 at 10:19:05 -0700, Dan Kaminsky wrote:> Communication is a two way street. If OpenSSH wants to go down the route > of single releases, like the browsers did, it can remove its minor numbers, > like the browsers did. >There's no question of "going down the route." This has been the practice with OpenSSH for many years -- if not from the beginning. Certainly, those outside of the OpenSSH development community often assume the major/minor release scheme used by the majority of open source projects, but I'm suprised to see such confusion on this list. As to disabling SSH v1, hurray! The protocol has been long-obsolete and it is well-known to be insecure. Sure, some will eventually be impacted by this, but maybe that is a good thing. Perhaps it will give a little more incentive for those who are still using SSH1 to move into this century. -- Iain Morgan
You're right. My argument the is the next build of OpenSSH should be OpenSSH 7, and the one after that 8, then 9, then 10. No minor releases? Sure, go ahead. Deprecate the point, Do you manage any machines running SSHv1? On Thu, Mar 26, 2015 at 11:44 AM, Iain Morgan <imorgan at nas.nasa.gov> wrote:> On Thu, Mar 26, 2015 at 10:19:05 -0700, Dan Kaminsky wrote: > > Communication is a two way street. If OpenSSH wants to go down the route > > of single releases, like the browsers did, it can remove its minor > numbers, > > like the browsers did. > > > > There's no question of "going down the route." This has been the > practice with OpenSSH for many years -- if not from the beginning. > > Certainly, those outside of the OpenSSH development community often > assume the major/minor release scheme used by the majority of open > source projects, but I'm suprised to see such confusion on this list. > > As to disabling SSH v1, hurray! The protocol has been long-obsolete and > it is well-known to be insecure. Sure, some will eventually be impacted > by this, but maybe that is a good thing. Perhaps it will give a little > more incentive for those who are still using SSH1 to move into this > century. > > -- > Iain Morgan >
On Thu, Mar 26, 2015 at 11:55:18 -0700, Dan Kaminsky wrote:> You're right. My argument the is the next build of OpenSSH should be > OpenSSH 7, and the one after that 8, then 9, then 10. No minor releases? > Sure, go ahead. Deprecate the point, > > Do you manage any machines running SSHv1? >If by "running" you mean accepting SSH1, of course not. From a security perspective, no one should be using SSH1. For those who, for whatever reason, need to support systems that only support SSH1, there are already sufficient solutions that have been noted multiple times on this list. Those who are still using SSH1 have already demonstrated the fact that they are slow to embrace new technology, so I would not be surprised to find that the majority of them are also slow to upgrade to newer versions of OpenSSH. I would also not be surprised to find that many of them are still using telnet to manage their routers. -- Iain Morgan