On Tue, Aug 15, 2017 at 05:04:50PM +0200, Kurt Roeckx wrote: > My problem is that if we don't do something, TLS 1.0 will be used > for an other 10 year, and that's just not acceptable.
The usage of TLS in the wild does not rely on you. Neither its does to Debian, IMHO. Now, when talking about the users of Debian I'm fine with such statements. Actually, I'm not a user of Debian myself for good reasons. > So I would > like to do something so that hopefully by the time Buster releases > you can disable TLS 1.0 by default, and that almost no users would > need to enable it again. What do you mean by *you*? The users? They don't seem to have any choice. > Having TLS 1.0 (and 1.1) enabled by default itself is not a > problem, it's actually using it that's a problem. Well, there is a lot of problems in the world. Not being able to use a protocol anymore because a maintainer decided to disable the feature can be one of them. > There are > clearly still too many that don't support TLS 1.2, but it's > getting better. So this policy is neglecting the users needs in the hope this will force third-parties to move... > Disabling the protocols is the only way I know how to identify > all the problems. There is a gap between forcefully disabling a protocol and disabling it with the possibility to manually re-enable it when really required. If we even admit that the "forcefully disallow protocols for our users" policy is a good alternative to change the world, it's well known that all the providers won't upgrade any time soon. So, the Busters users are taken hostage. > And I would like to encourage everybody to > contact the other side if things break and get them to upgrade. Sure. This does not prevent from providing a plan B: manually re-enable a "won't be supported anymore" feature. I tend to think that in the end this is all about consideration to your users. Of course, it's up to you to go your own way. -- Nicolas Sebrecht