[imrejonk]

They provide a good reason for completely removing the DSA code:

> We are also likely to start exploring a post-quantum signature algorithm soon and are mindful of the overall size and complexity of the key/signature code.

Vulnerabilities like heartbleed and Log4Shell is what you get when you have limited developer capacity but insist on endlessly keeping legacy code around.

[appplication]

I am a proponent of ruthlessly deprecating, deleting, and decommissioning. I fully understand there are a LOT of downsides with this approach, but legacy code is such a huge and difficult to quantify drain on developer productivity, in addition to a vector for exploitation and other bugs.

Yea, it is annoying to keep your systems up to date, and yes some (let’s be honest very small but vocal minority of) users cannot update and will be left in the cold. But security is everyone’s responsibility at all layers, and even stable OSS doesn’t owe it to you to support legacy cases at the expense of just moving forward.

It sucks but I do believe hamstringing users with complex and unsupported use cases is (unfortunately) the right thing to do. The less support these old and vulnerable systems get, the more annoying or impossible they will be to maintain, and the more inclined users will be to shut down systems that probably should have been deprecated decades ago.

Bracing myself for ire…

[szundi]

Problem is that lots of cases just cannot be replaced, period. But probably those people will keep around some old ubuntu and will be hacked through those, also not removing but keeping around after the deadline until it needs work would also make sense. If work would be needed, then just remove. We might have like 2-10 years before that happens.

Whole stuff is about security and that kind of implies some “probably best before” tags anyway. Sacrificing security is not worth it and your reasoning is sane.

[ajsnigrutin]

Yep, I work with some old industrial hardware, and most of it is stuck in the year it was made and never upgraded... rs232, rs485, telnet, etc., is a thing you see very often. Now with modern networks, you can isolate those machines and the machines controlling/monitoring them pretty efectively, so those segments never touch the internet, but you still need to connect to those devices and use them. Telnet and rs* just work, because noone complained about zero security there and wanted them removed... but now we're removing stuff that's still in use on newer devices that are not even at hal their 20, 30, 40year lifespans.

I understand the security aspect, I know that telnet is insecure, but I know when, how and why it's insecure and use it accordingly... just add some -use-bad-crypto flag, maybe even make it as a module/plugin, and leave it working as it did.

[bigDinosaur]

I don't see why such a flag is necessary when you can always use an old version of the software instead. That's your flag. Otherwise they would never drop support for anything ever, which seems less than ideal. Something simply existing in the code incurs a maintenance cost.

[ajsnigrutin]

So how do I install the old version next to the new version in ubuntu 34.04? Will the old version even compile with gcc 27? Or will I have to find some ancient ubuntu image then, run it in a virtualbox, then run wget/curl on a newer virtual machine (becase old wget/curl won't support tls 2.4, and won't be able to download the script and after the command, http-POST the result), then copy the data to an old machine, run old ssh there, get the output, copy it to a new machine, and then http-post it from there?

Imagine if every software was coded by this logic... nobody uses BMP images anymore? Just remove them from gimp... if users want BPM support, they'll use gimp 1.x. Security? Unencrypted http is insecure, just remove support for http from firefox/chrome... if users need to use http, they'll just uninstall the current version, backup their profile, install an old version, that doesn't support the lastest tls standards, open that website, copy the text they need from there into notepad, uninstall the old version, install the new version, restore their profile, open gmail and paste the text to an email... oh wait, you've missed something and need to copy some more text... whoops, back to uninstalling.

[bigDinosaur]

You virtualise, or find someone willing to maintain some ancient version of the software on modern platforms (or you pay for it). If someone wants to maintain support for legacy protocols until the heat death of the universe, they are free to do so, but again it comes with a cost that not all projects can or should bear. Someone will have to think of how the ancient protocol works on every single software update - even if technically nothing changes that's still a maintenance cost.

Also, ossified infrastructure is not a good thing. That's yet another problem we need to solve as a civilisation. Not everything new is good but some old things are genuinely inferior and should be replaced.

[john-shaffer]

> So how do I install the old version next to the new version in ubuntu 34.04?

You would install Nix and run something similar to "nix run nixpkgs-23.11#openssh <address>"

[adastra22]

> Otherwise they would never drop support for anything ever, which seems less than ideal.

In the realm of operating systems and protocols, that sounds absolutely ideal. Microsoft has the right approach here.

[bigDinosaur]

In an ideal world where the maintenance cost and added complexity do not matter, yes, but that is not this world and we cannot have everything we want without compromises.

[Dalewyn]

That kind of attitude is why Windows continues to dominate the desktop market.

Granted, I speak very generally while this thread pertains specifically to OpenSSH. I also understand the added burden of maintaining more and more code, which end-users might not properly appreciate.

Ultimately though, people use computers to achieve something and expect software to help them in that endeavour. Software cutting off features, and thus the users, will always draw ire because it inhibits people from using computers to achieve something.

Arguments from devs that software must move forward mean nothing to users who want or need to do something right now.

[Macha]

This is a feature who's replacement was available 30 years ago and the replacement of the replacement was available 10 years ago.

For comparison, Microsoft deprecated SMBv1 the same year OpenSSH deprecated DSA and removed it in 2016.

[appplication]

Fortunately I’m not competing with windows :). But real talk, I only have 40 hours a week and I put a lot of energy into providing my users features they ask for. In return, I ask of them to make it easy for me to continue to do that.

If you look at any company’s internal tooling, this is universally well understood. Migrations and upgrades are a pain in the ass in the short term but a net positive in the long term. I don’t want to break their systems, but software evolves over time and if you expect something that worked once to always work, that’s not realistic expectations for any software I’ve ever been a part of.

[Dalewyn]

I would argue the notion of "it stops working" is something acutely unique to computer software (and hardware to a significantly lesser degree).

Think about it: A computer is a tool, but most tools never "stop working" per se. That screwdriver? It used to work when it was first invented and it will still work a thousand years from now. That car? Keep it maintained and it will take you places for at least the better part of a century. That boat? We can keep boats floating forever.

Computers are one of the few, if not only, piece of tool that demands it be replaced every few years, and it probably hasn't even broken down yet which would merit a replacement.

[Jenda_]

> That screwdriver? It used to work when it was first invented and it will still work a thousand years from now.

Maybe it did not and will not -- old screwdriver is probably flat blade, now people use Philips or Pozidriv screws and in some time most will be Torx.

> That car? Keep it maintained and it will take you places for at least the better part of a century. That boat? We can keep boats floating forever.

The same: the fuel and oil is changing (maybe you will not even be able to source gasoline in 2050 if everyone migrated to electric vehicles), and specific spare parts are no longer manufactured.

I guess with large old boats also come expensive support contract - similar to paying someone for a super-long-term individual software support.

> Computers are one of the few, if not only, piece of tool that demands it be replaced every few years, and it probably hasn't even broken down yet which would merit a replacement.

Computers are also relatively new and quickly advancing in features, while the other examples you have mentioned were mostly "stable" for 100 years.

[Jenda_]

> That kind of attitude is why Windows continues to dominate the desktop market.

On the other hand, macOS is also pretty common on desktops and they don't honor backwards compatibility very much.