Doug Hellmann wrote:
On Mon, Mar 24, 2014 at 5:55 PM, Alan Pevec <apevec@gmail.com <mailto:apevec@gmail.com>> wrote:
2014-03-24 19:14 GMT+01:00 Doug Hellmann <doug.hellmann@dreamhost.com <mailto:doug.hellmann@dreamhost.com>>: > I tend to agree that a dependency change like this is "too big." OTOH, do we > have any security ramifications for leaving the code as-is? Would it make > sense to try to figure out which library is available and use it, rather > than requiring one or the other?
That would be stable-only patch so it would be even more risky IMHO. I guess the solution here is to document security issues clearly in 2013.2.3 release notes as Adam suggested.
FWIW the security issues detected so far are mostly weaknesses in nonce generators. The main issue is that it's security-sensitive and abandoned, so distributions want to get rid of it proactively. In our case I would document in the release notes that oauth2 is abandoned upstream and that distributions that want to avoid it for Havana may apply this optional patch at [URL]. This is a typical case where distro-side patches make sense. It's temporary (icehouse fixed it) and distro-specific (not every distribution dumped it yet). -- Thierry Carrez (ttx)