[openstack-dev] No PROTOCOL_SSLv3 in Python 2.7 in Sid since 3 days
fungi at yuggoth.org
Fri Nov 21 19:11:48 UTC 2014
On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote:
> Death to SSLv3 IMO.
Sure, we should avoid releasing new versions of things which assume
SSLv3 support is present in underlying libraries/platforms (it's
unclear to me why anyone even thought it was good to make that
configurable to this degree in openstack-common, but it probably
dates back to before the nova common split). But what we're talking
about here is fixing a deployability/usability bug where the
software is assuming the presence of something removed from a
dependency on some platform. I'd rather not conflate it with
knee-jerk "SSLv3 Bad" rhetoric which risks giving casual readers the
impression there's some vulnerability here.
Ceasing to assume the presence of SSLv3 support is a safe choice for
the software in question. Forcing changes to stable branches for
this should be taken on its merits as a normal bug, and not
prioritized because of any perceived security impact.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: Digital signature
More information about the OpenStack-dev