Server Team 20080722 meeting minutes
Soren Hansen
soren at ubuntu.com
Thu Jul 24 14:05:32 BST 2008
On Wed, Jul 23, 2008 at 12:26:43PM -0700, Steve Langasek wrote:
> On Wed, Jul 23, 2008 at 02:11:05PM -0400, Mathias Gug wrote:
>> ivoks prepared patches for a couple of packages to disable sslv2 in
>> their configuration. He also sent an email on ubuntu-devel about
>> disabling sslv2 directly in the openssl package. Discussion is
>> ongoing, with a proposal to create an openssl-sslv2 package in
>> universe that would be built with sslv2 enabled.
> FWIW, I think creating an openssl-sslv2 package would be the worst
> possible solution: duplicating security-sensitive code, and making it
> available with lesser security support. I think dropping SSLv2
> support would be better.
Err.. I don't think I follow. I imagine, we'd build the SSLv2-enabled
packages from the same source package and just put the binary in
universe? I believe someone in another thread gave specific examples of
3rd party stuff that needed SSLv2 to function. Forcing them to compile
OpenSSL themselves seems worse to me.
--
Soren Hansen |
Virtualisation specialist | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20080724/71dfe6cd/attachment.pgp
More information about the ubuntu-devel
mailing list