Why remove old box templates?

[ericbn]

Why do https://github.com/boxcutter/centos/commit/51234adad1ccb225dc6171c0888b24ac6568c52a ?

Our team uses boxcutter/centos65, as the environment for our application is only certified up to this version of CentOS. And as the iso_url is still valid, why remove it?

[annawake]

For CentOS 6.5 in particular, we don't have verification that several critical openssh fixes vulnerabilities are installed , like the fix for DROWN and POODLE. We didn't think it was safe to encourage people to use unpatched installs with these critical vulnerabilities. I think you can yum update and at least address POODLE issues on CentOS 6.5, but I'm not sure about DROWN.

Anyway it was due to some really unusual openssl issues discovered after CentOS 6.5 was released.

Currently you really want to be working with CentOS 6.7 as the minimum base for safety. After spending time trying to fight with using 1.0.1e or using backports, we're not sure how to address these critical issues in the older versions so they were dropped.

[ericbn]

Anna, thank you for the heads up! Makes perfect sense. I'll notify the team about the issues as we were not considering that...