Stuart Henderson([email protected]) on 2020.05.01 23:46:49 +0100: > On 2020/05/02 00:43, Stephan Mending wrote: > > On 02/05/2020 00:40, Stuart Henderson wrote: > > > On 2020/05/02 00:23, Stephan Mending wrote: > > > > Hi, > > > > > > > > I actually read your thread. By what I understood you're at the moment > > > > trying to change a few defaults. > > > > > > > > That was the reason I wanted to add SHA1 for removal. I just thought it > > > > deserved a seperate thread. > > > > > > > > I do understand that you're trying to be careful with removing or > > > > changing > > > > defaults. From my point of view everybody that is (maybe implicitly) > > > > using > > > > SHA1 right now is better off to be get this wakeup call the earlier the > > > > better. > > > > > > > > We aren't even removing SHA1 we're just not offering it as default. And > > > > for > > > > those Windows boxes who require it, those people just have to add a > > > > line to > > > > explicitly enable it. I would not see such big of a problem. > > > The things removed recently have a very low risk of affecting anyone. > > > sha1 (and modp1024) are high risk. > > > > > > Removing from the default list may cause some people to be unable > > > to connect to their network after updating. This may mean that they > > > are then unable to connect back in to fix it. > > > > > > If this change is made it needs to be done fairly early in the release > > > cycle, and preferably at a time when slightly fewer people are relying > > > on working remote access to get at their networks. > > > > > > > I dont't have much experience with such a big projekt like OpenBSD. How do > > you normally carry through with such significant changes ? Just the release > > notes and hoping somebody in snaps will complain ? Or is there more to it, > > which I didn't notice ? > > > > Testing where we can, but allowing for the fact that we can't test > everything riskier changes need to be done at a point where we have a > good chance to get feedback from -current users so we can come up with > good advice for release notes.
For flag days like this, we try to have a transition period if possible. For example here we could announce (in the release notes and/or the upgrade guide for 6.7) that sha1/modp1024 is deprecated, including a command for users to check if they have it in use. Some time after 6.7 is released, in the -current branch, we remove them. Then users of releases/stable-branch have 6 months to change their configuration. Alternatively we can remove them after 6.8 has been released, giving even more time.
