lgoldstein commented on PR #446:
URL: https://github.com/apache/mina-sshd/pull/446#issuecomment-1871744046

   > In fact I don't think any customization flag is needed at all. (Also not 
in CoreModuleProperties.)
   
   In this issue I have to disagree wholeheartedly. As I have explained in a 
response to others - this is a major change in the code that has not gained 
enough "mileage" in the "wild" since we have not released it. It may contain 
some subtle bug that neither you nor i have detected. Therefore, we *must* have 
a "kill switch" for it so that our software is not rendered inoperable and then 
we have to scramble to fix it. This way, if a subtle bug is indeed detected the 
users can simply disable it, and they would simply revert to the situation 
before the vulnerability was detected - but at least something would be 
*working*.
   
   You could make the case that the default for the property should be *on*. It 
is a valid claim, but I personally do not feel confident enough to do so in 
view of the major behavior change it entails. If, after running more tests, you 
should feel comfortable with making it active by default - please do so in a 
future code change. I will not object to it...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to