On 02/05/2020 00:40, Stuart Henderson wrote:
On 2020/05/02 00:23, Stephan Mending wrote:
Hi,
I actually read your thread. By what I understood you're at the moment
trying to change a few defaults.
That was the reason I wanted to add SHA1 for removal. I just thought it
deserved a seperate thread.
I do understand that you're trying to be careful with removing or changing
defaults. From my point of view everybody that is (maybe implicitly) using
SHA1 right now is better off to be get this wakeup call the earlier the
better.
We aren't even removing SHA1 we're just not offering it as default. And for
those Windows boxes who require it, those people just have to add a line to
explicitly enable it. I would not see such big of a problem.
The things removed recently have a very low risk of affecting anyone.
sha1 (and modp1024) are high risk.
Removing from the default list may cause some people to be unable
to connect to their network after updating. This may mean that they
are then unable to connect back in to fix it.
If this change is made it needs to be done fairly early in the release
cycle, and preferably at a time when slightly fewer people are relying
on working remote access to get at their networks.
I dont't have much experience with such a big projekt like OpenBSD. How
do you normally carry through with such significant changes ? Just the
release notes and hoping somebody in snaps will complain ? Or is there
more to it, which I didn't notice ?
