Re: [DISCUSS] Release Apache jclouds 1.8.1 RC1

Mon, 20 Oct 2014 18:42:17 -0700 

They would do this.

contextBuilder.modules(..., new AbstractModule() {
  @Override public void configure(){}
  @Provides @Singleton Supplier<SSLContext> unpoodled() {
    return // favorite thing.
  });




@gaul: would describing this in the release notes make you reconsider  
your vote? I also of course want to fix this, but from the discussion  
it is clear we haven't found the right approach yet.



If we are going to apply band-aids for now, I would prefer to document  
a band-aid that does not do something we're not totally happy with,  
also applies to non-1.8.1 users and gives the users more ability to  
make their own choices.



I understand Diwaker's comment [1] in the JIRA issue that configuring  
your own module is not exactly "trivial", but seeing as we seem to  
agree at this point that this issue does *not* pose an immediate  
security risk to jclouds users generally, I feel that we can get away  
with the above proposal.



WRT "untrusted" I think it confuses things to patch poodle, yet trust
all certs :) That's why I suggest rolling back that part.



@Adrian: TL;DR: if "untrusted" here means "trust all certs", I'm not  
sure we should allow it to be insecure in all kinds of *other* ways,  
too. But since we are looking for a different fix in any case, we'll  
probably end up discussing this in more detail after 1.8.1 anyway ;-)


-- longer version --


Thanks for explaining that. I see what you mean about the perceived  
asymmetry of trying to patch this in an "untrusted" context. I may be  
interpreting the word incorrectly - my understanding of "untrusted"  
here and when referring to SSL connections generally is specifically  
"trust all certificates".



This is certainly insecure in many ways, but I don't think it means we  
should allow this to be insecure in all kinds of other ways, too - or,  
if that is so, we should call it "insecure" rather than "untrusted".



Depending on how the vote ends up going, it seems to me that we will  
be looking for a different solution here in any case, so we will  
probably see this discussion come around then.


Regards

ap


[1]  
https://issues.apache.org/jira/browse/JCLOUDS-753?focusedCommentId=14174271&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14174271






















					Reply via email to