Server Team 20080722 meeting minutes

Steve Langasek steve.langasek at
Thu Jul 24 18:02:44 UTC 2008

On Thu, Jul 24, 2008 at 03:05:32PM +0200, Soren Hansen wrote:
> On Wed, Jul 23, 2008 at 12:26:43PM -0700, Steve Langasek wrote:
> > On Wed, Jul 23, 2008 at 02:11:05PM -0400, Mathias Gug wrote:
> >> ivoks prepared patches for a couple of packages to disable sslv2 in
> >> their configuration. He also sent an email on ubuntu-devel about
> >> disabling sslv2 directly in the openssl package. Discussion is
> >> ongoing, with a proposal to create an openssl-sslv2 package in
> >> universe that would be built with sslv2 enabled.
> > FWIW, I think creating an openssl-sslv2 package would be the worst
> > possible solution: duplicating security-sensitive code, and making it
> > available with lesser security support.  I think dropping SSLv2
> > support would be better.

> Err.. I don't think I follow. I imagine, we'd build the SSLv2-enabled
> packages from the same source package and just put the binary in
> universe? I believe someone in another thread gave specific examples of
> 3rd party stuff that needed SSLv2 to function. Forcing them to compile
> OpenSSL themselves seems worse to me.

Oh.  That's much more sensible than the strawman I'd apparently constructed
in my mind.


Do you have a pointer to the examples of stuff still needing SSLv2?  I
hadn't seen any listed on ubuntu-devel.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                          
slangasek at                                     vorlon at

More information about the ubuntu-server mailing list