Re: squeeze update of openssh?

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: Guido Günther <agx@sigxcpu.org>, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, debian-lts@lists.debian.org
Subject: Re: squeeze update of openssh?
From: Colin Watson <cjwatson@debian.org>
Date: Sat, 30 Jan 2016 01:27:43 +0000
Message-id: <[🔎] 20160130012743.GA8922@riva.ucam.org>
Mail-followup-to: Antoine Beaupré <anarcat@orangeseeds.org>, Guido Günther <agx@sigxcpu.org>, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 87mvroqd8l.fsf@marcos.anarc.at>
References: <[🔎] 20160115104622.GA5647@minobo.das-netzwerkteam.de> <[🔎] 1452864937.2519.5.camel@decadent.org.uk> <[🔎] 20160115134712.GB32596@bogon.m.sigxcpu.org> <[🔎] 1452865833.15013.79.camel@debian.org> <[🔎] 20160115140144.GK2181@riva.ucam.org> <[🔎] 20160123115051.GA4447@bogon.m.sigxcpu.org> <[🔎] 87mvroqd8l.fsf@marcos.anarc.at>

On Fri, Jan 29, 2016 at 04:36:58PM -0500, Antoine Beaupré wrote:
> So this definitely need coordination with the openssh maintainers at
> this point, to at least confirm or infirm the "usability over security"
> decision that happened all that while ago.

I did that recently, and came to the conclusion that the upstream
default isn't just unusable, it's laughably unusable:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765632#41

debian-devel wasn't unanimous, but those people who responded from
desktop development communities (Josselin) indicated that there was
negligible interest in doing anything about this.  So no, unless the
latter state of affairs changes I am not going to change this.  Sorry.
A different solution must be found.

> It seems unreasonable to expose users to such a security issue just
> for the convenience of some setups that could easily be fixed.

Fine words, and you're not the first to utter them; but they need to be
backed up with action in graphical toolkits, and such action has not
been in evidence for a decade or more.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: squeeze update of openssh?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- squeeze update of openssh?
  - From: Mike Gabriel <sunweaver@debian.org>
- Re: squeeze update of openssh?
  - From: Ben Hutchings <ben@decadent.org.uk>
- Re: squeeze update of openssh?
  - From: Guido Günther <agx@sigxcpu.org>
- Re: squeeze update of openssh?
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: squeeze update of openssh?
  - From: Colin Watson <cjwatson@debian.org>
- Re: squeeze update of openssh?
  - From: Guido Günther <agx@sigxcpu.org>
- Re: squeeze update of openssh?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: squeeze update of openssh?
Next by Date: Re: squeeze update of prosody?
Previous by thread: Re: squeeze update of openssh?
Next by thread: Re: squeeze update of openssh?
Index(es):
- Date
- Thread