Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3
On Sat, Dec 30, 2023 at 12:13:28AM +0100, Philipp Kern wrote:
> On 29.12.23 11:30, Simon Josefsson wrote:
> > SSH3 is a complete revisit of the SSH protocol, mapping its semantics on
> > top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for
> > secure channel establishment and the HTTP Authorization mechanisms for
> > user authentication. Among others, SSH3 allows the following
> > improvements:
>
> I feel like SSH3 is an unfortunate name. The program claims "SSH3 stands for
> the concatenation of SSH and H3." - well sure, but you're also reusing the
> name of an existing protocol and bump its version. ssh-h3?
I agree - as the Debian OpenSSH maintainer, I'm concerned that this will
cause a new source of user confusion because people will think "ah,
ssh3, that must be better than ssh" (which indeed seems to have been a
deliberate marketing choice by this project) and not realize that it's a
largely incompatible thing. Not to mention the way that it parses
OpenSSH configuration files, which may work today but I doubt OpenSSH
offers any guarantees that it won't make changes that will break this
independent parser in future.
I also feel that something security-critical like this that's labelled
by upstream as "still experimental" probably shouldn't be in a Debian
release. Maybe it should be kept in Debian experimental for the time
being?
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: