Re: Wikipedia drops support for old Android smartphones; mandates TLSv1.2 to read

[DaKnOb <daknob.mac () gmail com>]

I still don’t see any multi-million dollar donation receipts though.. 

So if we want to do this, do we sacrifice security for the 99.9% or do we have Wikimedia pay the bill?

Oh, BTW, I have some network equipment with only 16-bit ASN support, or no large communities, or no IPv6, or no AES, or 
no BGP4, or no RPKI, or no [...] so I don’t know if it’s late but maybe we should revert at least some of those, 
because they’re not really needed.. The internet is broken anyways, so we don’t need more ASNs, or security, or 
connectivity anyways.. Oh, and it can do only 10 Mbit Ethernet, so my buffers fill up with anything at GbE or above, 
can we scrap them too? 

On a serious note, I don’t think TLS does not provide validation of the server just because the Web PKI system is 
broken, and I don’t think TLS doesn’t provide security or privacy. And I also believe they are needed. There are many 
scenarios where they are vital.. 

- They protect against modifying content: now if an anonymous edit is made, everyone will see and revert it, without 
TLS everyone could see a different thing and we wouldn’t know. 
- They protect against knowing what people browse (privacy): I don’t want others to know what information I look up on 
Wikipedia, or at least more people than necessary. Someone mentioned that if I have this requirement I should work 
towards it. I think most people have this requirement and it’s easier if Wikipedia works towards it, than everyone 
setting up a network and peering directly with every website they want to use. 

I am usually in favor of replacing things if possible that hold back everyone else, even if it hurts. We’re not 
throwing away last year’s phones, but devices closing 10 years in life. If we want devices we want to keep, and reduce 
e-waste and all that, we should find a way to keep them up to date, not demand that nobody makes any progress.. If 
Android could get updates (I think it can now) we could just add TLS 1.2 and TLS 1.3 by backporting. No new features, 
just essentials. But for some reason, someone, not necessarily in the Android team, and for some reason, decided that 
it’s not a priority.

Would we accept network equipment that doesn’t receive updates? Maybe, due to cost. But should we, or just maybe put 
some pressure on the manufacturer to support it for more than 3 months?

There’s a debate on how long the new cars should receive software updates. People keep them for over 15 years. Should 
we replace our cars every 2? No. The manufacturers should support them for a reasonable period, and then we should 
accept that some features will stop working. 

Now you may say if the car manufacturer stops producing parts after 2 years, you can find some third party ones. Well, 
nobody stops you from operating a reverse proxy for Wikipedia at unsafewikipedia.org, but the pros and cons there are 
different.. 

> On 31 Dec 2019, at 17:12, Seth Mattinen <sethm () rollernet us> wrote:
>
> On 12/31/19 12:50 AM, Ryan Hamel wrote:
> > Just let the old platforms ride off into the sunset as originally planned like the SSL implementations in older JRE 
> > installs, XP, etc. You shouldn't be holding onto the past.
>
>
> Because poor people anywhere on earth that might not have access to the newer technology don't deserve access to 
> Wikipedia, right? Gotta make sure information is only accessible to those with means to keep "lesser" people out.