On 2020/05/02 00:43, Stephan Mending wrote: > On 02/05/2020 00:40, Stuart Henderson wrote: > > On 2020/05/02 00:23, Stephan Mending wrote: > > > Hi, > > > > > > I actually read your thread. By what I understood you're at the moment > > > trying to change a few defaults. > > > > > > That was the reason I wanted to add SHA1 for removal. I just thought it > > > deserved a seperate thread. > > > > > > I do understand that you're trying to be careful with removing or changing > > > defaults. From my point of view everybody that is (maybe implicitly) using > > > SHA1 right now is better off to be get this wakeup call the earlier the > > > better. > > > > > > We aren't even removing SHA1 we're just not offering it as default. And > > > for > > > those Windows boxes who require it, those people just have to add a line > > > to > > > explicitly enable it. I would not see such big of a problem. > > The things removed recently have a very low risk of affecting anyone. > > sha1 (and modp1024) are high risk. > > > > Removing from the default list may cause some people to be unable > > to connect to their network after updating. This may mean that they > > are then unable to connect back in to fix it. > > > > If this change is made it needs to be done fairly early in the release > > cycle, and preferably at a time when slightly fewer people are relying > > on working remote access to get at their networks. > > > > I dont't have much experience with such a big projekt like OpenBSD. How do > you normally carry through with such significant changes ? Just the release > notes and hoping somebody in snaps will complain ? Or is there more to it, > which I didn't notice ? >
Testing where we can, but allowing for the fact that we can't test everything riskier changes need to be done at a point where we have a good chance to get feedback from -current users so we can come up with good advice for release notes.
