On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote: > Death to SSLv3 IMO.
Sure, we should avoid releasing new versions of things which assume SSLv3 support is present in underlying libraries/platforms (it's unclear to me why anyone even thought it was good to make that configurable to this degree in openstack-common, but it probably dates back to before the nova common split). But what we're talking about here is fixing a deployability/usability bug where the software is assuming the presence of something removed from a dependency on some platform. I'd rather not conflate it with knee-jerk "SSLv3 Bad" rhetoric which risks giving casual readers the impression there's some vulnerability here. Ceasing to assume the presence of SSLv3 support is a safe choice for the software in question. Forcing changes to stable branches for this should be taken on its merits as a normal bug, and not prioritized because of any perceived security impact. -- Jeremy Stanley
Description: Digital signature
_______________________________________________ OpenStack-dev mailing list OpenStackfirstname.lastname@example.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev