> This is shite design . . . [Stuff] sorted so when an old system plugins in it at least limp mode upgrades
It’s an economic- and risk-based calculation based on security.
You’re trying to get a TWELVE-YEAR OLD system online. Let’s see, since 2012, TLS 1.0 and TLS 1.1 have been officially deprecated (in 2021). In 2024, companies serving TLS 1.1 do not pass certain modern compliance standards. Mountain Lion from 2012 doesn’t support TLS 1.2. Are you arguing that they should leave around a TLS 1.1-based endpoint up, with ciphers that are no longer recommended? And how many CAs can still issue a valid cert trusted by a 12-yr old system?
> [there is zero risk attached]
Community-based Linux distros also offer HTTP (insecure) mirrors. There is also zero risk attached to the mirror serving HTTP. All the risk is on the user side. They don’t care that it’s an exploitable vector. They don’t have a commercial risk/downside. They didn’t sell fleets of old devices with their name on it.
> This is one of the wealthiest corporations on earth
Well this is why. It’s because they spend their money wisely. They decided that supporting OSes over 7 year old (with god knows what unpatched critical bulbs) is not money wisely spent and poses too much risk to their user populace, so they would rather not allow it, rather than support it. They don’t want to train their support on it and they don’t want to allow the possibility of punters getting their old hardware to an older release with open CVEs.
It’s an economic- and risk-based calculation based on security.
You’re trying to get a TWELVE-YEAR OLD system online. Let’s see, since 2012, TLS 1.0 and TLS 1.1 have been officially deprecated (in 2021). In 2024, companies serving TLS 1.1 do not pass certain modern compliance standards. Mountain Lion from 2012 doesn’t support TLS 1.2. Are you arguing that they should leave around a TLS 1.1-based endpoint up, with ciphers that are no longer recommended? And how many CAs can still issue a valid cert trusted by a 12-yr old system?
> [there is zero risk attached]
Community-based Linux distros also offer HTTP (insecure) mirrors. There is also zero risk attached to the mirror serving HTTP. All the risk is on the user side. They don’t care that it’s an exploitable vector. They don’t have a commercial risk/downside. They didn’t sell fleets of old devices with their name on it.
> This is one of the wealthiest corporations on earth
Well this is why. It’s because they spend their money wisely. They decided that supporting OSes over 7 year old (with god knows what unpatched critical bulbs) is not money wisely spent and poses too much risk to their user populace, so they would rather not allow it, rather than support it. They don’t want to train their support on it and they don’t want to allow the possibility of punters getting their old hardware to an older release with open CVEs.