On Sat, Dec 30, 2023 at 12:13:28AM +0100, Philipp Kern wrote: > On 29.12.23 11:30, Simon Josefsson wrote: > > SSH3 is a complete revisit of the SSH protocol, mapping its semantics on > > top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for > > secure channel establishment and the HTTP Authorization mechanisms for > > user authentication. Among others, SSH3 allows the following > > improvements: > > I feel like SSH3 is an unfortunate name. The program claims "SSH3 stands for > the concatenation of SSH and H3." - well sure, but you're also reusing the > name of an existing protocol and bump its version. ssh-h3?
I agree - as the Debian OpenSSH maintainer, I'm concerned that this will cause a new source of user confusion because people will think "ah, ssh3, that must be better than ssh" (which indeed seems to have been a deliberate marketing choice by this project) and not realize that it's a largely incompatible thing. Not to mention the way that it parses OpenSSH configuration files, which may work today but I doubt OpenSSH offers any guarantees that it won't make changes that will break this independent parser in future. I also feel that something security-critical like this that's labelled by upstream as "still experimental" probably shouldn't be in a Debian release. Maybe it should be kept in Debian experimental for the time being? -- Colin Watson (he/him) [cjwat...@debian.org]