Server Team 20080722 meeting minutes
steve.langasek at ubuntu.com
Thu Jul 24 18:02:44 UTC 2008
On Thu, Jul 24, 2008 at 03:05:32PM +0200, Soren Hansen wrote:
> On Wed, Jul 23, 2008 at 12:26:43PM -0700, Steve Langasek wrote:
> > On Wed, Jul 23, 2008 at 02:11:05PM -0400, Mathias Gug wrote:
> >> ivoks prepared patches for a couple of packages to disable sslv2 in
> >> their configuration. He also sent an email on ubuntu-devel about
> >> disabling sslv2 directly in the openssl package. Discussion is
> >> ongoing, with a proposal to create an openssl-sslv2 package in
> >> universe that would be built with sslv2 enabled.
> > FWIW, I think creating an openssl-sslv2 package would be the worst
> > possible solution: duplicating security-sensitive code, and making it
> > available with lesser security support. I think dropping SSLv2
> > support would be better.
> Err.. I don't think I follow. I imagine, we'd build the SSLv2-enabled
> packages from the same source package and just put the binary in
> universe? I believe someone in another thread gave specific examples of
> 3rd party stuff that needed SSLv2 to function. Forcing them to compile
> OpenSSL themselves seems worse to me.
Oh. That's much more sensible than the strawman I'd apparently constructed
in my mind.
Do you have a pointer to the examples of stuff still needing SSLv2? I
hadn't seen any listed on ubuntu-devel.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the ubuntu-server