[openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days

Jeremy Stanley fungi at yuggoth.org
Fri Nov 21 19:11:48 UTC 2014


On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote:
> Death to SSLv3 IMO.

Sure, we should avoid releasing new versions of things which assume
SSLv3 support is present in underlying libraries/platforms (it's
unclear to me why anyone even thought it was good to make that
configurable to this degree in openstack-common, but it probably
dates back to before the nova common split). But what we're talking
about here is fixing a deployability/usability bug where the
software is assuming the presence of something removed from a
dependency on some platform. I'd rather not conflate it with
knee-jerk "SSLv3 Bad" rhetoric which risks giving casual readers the
impression there's some vulnerability here.

Ceasing to assume the presence of SSLv3 support is a safe choice for
the software in question. Forcing changes to stable branches for
this should be taken on its merits as a normal bug, and not
prioritized because of any perceived security impact.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141121/798709d8/attachment.pgp>


More information about the OpenStack-dev mailing list