> > A lot of equipment, perfectly good equipment, expensive equipment, but > > old equipment requires it. Most of it is behind a security appliance so > > there's no real risk is negligible if indeed it's not actually zero. > > > > Removing DSS removes management access to the equipment and the only > > reason is a pedantic complaint that DSS is trivially broken. > > > > Please don't break equipment over well-meaning pedantry. > > I bet this (once) expensive equipment still supports telnet, so > nothing is being broken.even if it doesn't, the idea that someone would assume support of this equipment is the responsibility of the openssh maintainers, rather than the _vendor_, blows my mind. save a statically linked copy of openssh that supports your old crypto, problem solved.
On 30/8/21 1:53 pm, Peter Moody wrote:>> I bet this (once) expensive equipment still supports telnet, so >> nothing is being broken. > even if it doesn't, the idea that someone would assume support of this > equipment is the responsibility of the openssh maintainers, rather > than the_vendor_, blows my mind.That's an absurd mis-characterisation of what I said.? Perhaps you sent your message in injudicious haste. Damien said that he plans to remove support for DSS keys at some future time.? That will take effort and I bet leaving them in the code will take none. I'm saying, don't put in that effort because it will needlessly break equipment.? Deprecate it to all hell, but don't remove it. In no possible way can that be conflated with me saying that openssh maintainers have to support anybody's equipment.