Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 31 May 2019 15:35:46 -0700
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   Re: svn commit: r348482 - stable/11/sys/netipsec
Message-ID:  <15af7ff4-42c9-2020-4167-6e757317f38a@FreeBSD.org>
In-Reply-To: <201905312026.x4VKQu3T051213@repo.freebsd.org>
References:  <201905312026.x4VKQu3T051213@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 5/31/19 1:26 PM, John Baldwin wrote:
> Author: jhb
> Date: Fri May 31 20:26:56 2019
> New Revision: 348482
> URL: https://svnweb.freebsd.org/changeset/base/348482
> 
> Log:
>   MFC 348205:
>   Add deprecation warnings for IPsec algorithms deprecated in RFC 8221.
>   
>   All of these algorithms are either explicitly marked MUST NOT, or they
>   are implicitly MUST NOTs by virtue of not being included in IETF's
>   list of protocols at all despite having assignments from IANA.
>   
>   Specifically, this adds warnings for the following ciphers:
>   - des-cbc
>   - blowfish-cbc
>   - cast128-cbc
>   - des-deriv
>   - des-32iv
>   - camellia-cbc
>   
>   Warnings for the following authentication algorithms are also added:
>   - hmac-md5
>   - keyed-md5
>   - keyed-sha1
>   - hmac-ripemd160
>   
>   Approved by:	re (gjb)

Sigh, so I just noticed while testing an MFC of another commit that adds
deprecation warnings (GELI) that these warnings don't actually fire in 11
because gone_in(13, ...) only warns on 12.x and later:

void
_gone_in(int major, const char *msg)
{

        gone_panic(major, P_OSREL_MAJOR(__FreeBSD_version), msg);
        if (P_OSREL_MAJOR(__FreeBSD_version) >= major)
                printf("Obsolete code will removed soon: %s\n", msg);
        else if (P_OSREL_MAJOR(__FreeBSD_version) + 1 == major)
                printf("Deprecated code (to be removed in FreeBSD %d): %s\n",
                    major, msg);
}

I guess we could make the later test unconditional on stable/11 (and possibly
make that change on HEAD and MFC it)?  I think I understand why we did that
originally (you could MFC warnings back to older branches without annoying
users to keep code in sync), but I wonder if in practice we don't want the
warnings always enabled?

-- 
John Baldwin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15af7ff4-42c9-2020-4167-6e757317f38a>