Colin Watson <cjwat...@debian.org> writes: > On Sat, Dec 30, 2023 at 12:13:28AM +0100, Philipp Kern wrote: >> On 29.12.23 11:30, Simon Josefsson wrote: >> > SSH3 is a complete revisit of the SSH protocol, mapping its semantics on >> > top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for >> > secure channel establishment and the HTTP Authorization mechanisms for >> > user authentication. Among others, SSH3 allows the following >> > improvements: >> >> I feel like SSH3 is an unfortunate name. The program claims "SSH3 stands for >> the concatenation of SSH and H3." - well sure, but you're also reusing the >> name of an existing protocol and bump its version. ssh-h3? > > I agree - as the Debian OpenSSH maintainer, I'm concerned that this will > cause a new source of user confusion because people will think "ah, > ssh3, that must be better than ssh" (which indeed seems to have been a > deliberate marketing choice by this project) and not realize that it's a > largely incompatible thing. Not to mention the way that it parses > OpenSSH configuration files, which may work today but I doubt OpenSSH > offers any guarantees that it won't make changes that will break this > independent parser in future.
I share these concerns, so I'll delay the upload for now. I'm hoping upstream will rename the project to something less confusing. > I also feel that something security-critical like this that's labelled > by upstream as "still experimental" probably shouldn't be in a Debian > release. Maybe it should be kept in Debian experimental for the time > being? Sounds good if nothing happens on the naming front in the next weeks/months. Let's wait and see a bit. One alternative that was suggested was to call the package something else in Debian. 'golang-ssh3'? 'go-ssh3'? Still somewhat problematic as long as the 'ssh3' name is in there. /Simon
signature.asc
Description: PGP signature