On Sat, Nov 08, 2014 at 10:38:48PM +0100, Kurt Roeckx wrote: > On Sat, Nov 08, 2014 at 09:19:18PM +0000, Emilio Pozuelo Monfort wrote: > > On 08/11/14 18:55, Kurt Roeckx wrote: > > >Will you accept patches for other packages that stop using the > > >SSLv3 methods? > > > > If the changes are sensible (e.g. not too invasive), sure. We'll consider > > that in a case-by-case basis. > > It depends on your defenition of invasive. They're all very > simple changes, it's stopping to use functions they should never > have used in the first place, and only use the SSLv23 methods > instead. > > I've filed 2 bugs with patches about this today: > #768611: pyton2.7 > #768562: curl > > (They would fix all those RC bugs people are filing) > > As you can see in both patches, they're really easy. But they > both have the potential to break reverse dependencies. And I want > to break them, because they are broken.
So people having been fixing things at least in unstable, not sure how many of those made it to testing. That is, they changed from supporting SSLv3 only to TLS1+. But those changes actually make them incompatible with the verion in other branches that still only use SSLv3. I would argue that that is an RC bug since the version from different branches can't talk to each other using SSL anymore. I would actually like to fix those packages in stable too. Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
