On Mon, 17 Apr 2017 07:22:00 +0000 Niels Thykier <ni...@thykier.net> wrote:
> > * First of all. AFAIUT, the change will at least possibly break the > following packages: > > * [...] I'm not sure how big the list is, but I plan to narrow it down in the near future. > They need to be fixed or removed from testing before we can even > consider doing an exception for this breaking change. Most (all?) of the packages that might break should be within my abilities to quickly remedy. I will try to follow the reverse build dependencies of every reverse build dependency of this package and confirm what builds fail because of this new change. Unfortunately, anything beyond trusting automated build tests seems impractical for something of this size. > * Secondly, is it correctly understood of me that the issue is > basically that golang-go.crypto defaults to not validating an SSH > key, but a client /can/ do so with the current API? The fix is > then to require the client to explicitly choose a way to deal with > SSH keys? My simplistic understanding of the problem is that we are indeed just changing the default. However, I haven't had any expert tell me so, which probably means I'm wrong. Fortunately, it seems to be a trivial change with a trivial temp-undo patch. Unfortunately, it introduces needed behavioral changes.