lgoldstein commented on PR #446: URL: https://github.com/apache/mina-sshd/pull/446#issuecomment-1871744046
> In fact I don't think any customization flag is needed at all. (Also not in CoreModuleProperties.) In this issue I have to disagree wholeheartedly. As I have explained in a response to others - this is a major change in the code that has not gained enough "mileage" in the "wild" since we have not released it. It may contain some subtle bug that neither you nor i have detected. Therefore, we *must* have a "kill switch" for it so that our software is not rendered inoperable and then we have to scramble to fix it. This way, if a subtle bug is indeed detected the users can simply disable it, and they would simply revert to the situation before the vulnerability was detected - but at least something would be *working*. You could make the case that the default for the property should be *on*. It is a valid claim, but I personally do not feel confident enough to do so in view of the major behavior change it entails. If, after running more tests, you should feel comfortable with making it active by default - please do so in a future code change. I will not object to it... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org