On 2014-11-21 12:31:08 -0500 (-0500), Donald Stufft wrote:
> Death to SSLv3 IMO.

Sure, we should avoid releasing new versions of things which assume
SSLv3 support is present in underlying libraries/platforms (it's
unclear to me why anyone even thought it was good to make that
configurable to this degree in openstack-common, but it probably
dates back to before the nova common split). But what we're talking
about here is fixing a deployability/usability bug where the
software is assuming the presence of something removed from a
dependency on some platform. I'd rather not conflate it with
knee-jerk "SSLv3 Bad" rhetoric which risks giving casual readers the
impression there's some vulnerability here.

Ceasing to assume the presence of SSLv3 support is a safe choice for
the software in question. Forcing changes to stable branches for
this should be taken on its merits as a normal bug, and not
prioritized because of any perceived security impact.
Jeremy Stanley

Attachment: signature.asc
Description: Digital signature

OpenStack-dev mailing list

Reply via email to