On Oct 9, 2008, at 5:59 AM, Ian G wrote:
As we all know, this will not be in 2.2.10... Please recall that
things must be in -trunk before being viable for backport to 2.2.x.
It's impossible to even express how disappointing this is ;(
There are only two changes in TLS on the server side that have been
identified to have any effect on phishing [1]. TLS/SNI is the easy
one.
A httpd fix will almost work by itself; the browsers already did
their part [2]. Only the config changes implemented by all here are
needed on the web server to turn the LAMPs on in a million small but
secured sites.
Which makes this the #1 easy fix for security in existing code
bases, today, and since around 2004 [3]. This massive injection of
activity will flow through in dozens of ways, e.g., by pulling more
and more Linux guys into thinking about securing systems.
What are the blockages? Mozo have offered money but don't know what
to do or who to talk to?
The ASF is not a "for hire" agency. Also, we have a known and
set policy regarding how patches are accepted and then backported
to the release branch. We will not simply "plug in" new stuff
in the 2.2 branch without it getting a good, deep vetting in
trunk.
