On Wed, May 27, 2015 at 07:33:12PM +0200, Christoph Anton Mitterer wrote: > As I've said... I (personally) don't feel that concerned about this > specific issue - we have other much more serious security problems in > OpenSSH.
OK, but you took the trouble to reply to this bug to disagree in the first place. :-) > I guess DKG's idea simply was that we shouldn't wait for an example case > where an attacker may abuse this (simply because it's too late then), > but proactively change it now. I would normally sympathise with that. In this case, though, the original rationale for the change allowed real admins to avoid worrying about a bunch of machines that had clearly already been upgraded, and spend time on dealing with getting the people running out-of-date machines to upgrade; when talking about thousands of heterogeneous student-run machines that's a win for overall security even if it isn't as dramatic as an exploit. So I'm in a position where I have real-world information on one side and hypotheticals on the other, which makes the hypotheticals less convincing. I hope that makes my position a bit clearer. -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
