SSLv2 - do we really need it?
ubuntu at kitterman.com
Tue Jul 22 13:34:53 UTC 2008
On Tue, 22 Jul 2008 08:22:13 -0500 "Dustin Kirkland"
<kirkland at canonical.com> wrote:
>On Mon, Jul 21, 2008 at 11:51 AM, Steve Langasek
><steve.langasek at canonical.com> wrote:
>> How will users who need SSLv2 support re-enable it?
>We could provide a second, non-default package, perhaps in universe,
>-with-sslv2, or some such. Packages that absolutely need this support
>(perhaps even for just long enough to fix their functional issues)
>could place a depends on that package.
>And as soon as we get to the point where no packages depend on that,
>we remove it?
In transitions like this you can never get 100 percent coverage. At some
point you just have to move on and break the last one percent. I think we
are well past that point for SSLv2.
My vote is compile openssl with SSLv2 support disabled, put it in the
release notes, and don't worry about it. Any that has a problem with this
can stay on Hardy for the next 5 years. Just after an LTS release is the
perfect time for this.
Personally, I'd rather we expend effort against making cool new stuff work
well in Intrepid and not worry so much about packages that have not been
updated past an ancient SSL version.
More information about the ubuntu-server