SSLv2 - do we really need it?

Scott Kitterman ubuntu at
Tue Jul 22 13:34:53 UTC 2008

On Tue, 22 Jul 2008 08:22:13 -0500 "Dustin Kirkland" 
<kirkland at> wrote:
>On Mon, Jul 21, 2008 at 11:51 AM, Steve Langasek
><steve.langasek at> wrote:
>> How will users who need SSLv2 support re-enable it?
>We could provide a second, non-default package, perhaps in universe,
>-with-sslv2, or some such.  Packages that absolutely need this support
>(perhaps even for just long enough to fix their functional issues)
>could place a depends on that package.
>And as soon as we get to the point where no packages depend on that,
>we remove it?
In transitions like this you can never get 100 percent coverage.  At some 
point you just have to move on and break the last one percent.  I think we 
are well past that point for SSLv2.

My vote is compile openssl with SSLv2 support disabled, put it in the 
release notes, and don't worry about it.  Any that has a problem with this 
can stay on Hardy for the next 5 years.  Just after an LTS release is the 
perfect time for this.

Personally, I'd rather we expend effort against making cool new stuff work 
well in Intrepid and not worry so much about packages that have not been 
updated past an ancient SSL version.

Scott K

More information about the ubuntu-server mailing list