> On Nov 10, 2014, at 11:19 PM, T.C. Hollingsworth <[email protected]>
> wrote:
>
> Upstream disabled SSLv3 in v0.10.33. I've been putting off dealing
> with it because I've been very busy, but I already got a request to do
> the same in EPEL [1].
>
> I was leaning toward not disabling it in <F20 and EPEL, since we
> typically don't do that sort of thing in stable releases. But it
> could get very confusing if upstream has disabled SSLv3 and we're
> shipping versions that claim to have it disabled. So I guess stable
> releases will be stuck at 0.10.32 + backports from future stable
> releases forever. Unless I'm being too pedantic and should just push
> the new upstream release unmodified?
>
> However, I think it's still early enough to do this for F21 at least
> so that's not stuck with the same issue forever. So unless anyone
> objects, I'm going to push an update in the next couple days and get
> it submitted before Final Freeze.
>
I'd say that this *specific* change is acceptable for backport to the stable
branches because of the POODLE vulnerability. Plenty of other packages are
making this change.
Is it possible to carry a patch that allows our users to re-enable it at
runtime if they absolutely must? If so, that's probably the optimum solution.
> Thanks!
> -T.C.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1161900
> _______________________________________________
> nodejs mailing list
> [email protected]
> https://admin.fedoraproject.org/mailman/listinfo/nodejs
_______________________________________________
nodejs mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/nodejs
