On Wed, Jul 23, 2008 at 12:26:43PM -0700, Steve Langasek wrote: > On Wed, Jul 23, 2008 at 02:11:05PM -0400, Mathias Gug wrote: >> ivoks prepared patches for a couple of packages to disable sslv2 in >> their configuration. He also sent an email on ubuntu-devel about >> disabling sslv2 directly in the openssl package. Discussion is >> ongoing, with a proposal to create an openssl-sslv2 package in >> universe that would be built with sslv2 enabled. > FWIW, I think creating an openssl-sslv2 package would be the worst > possible solution: duplicating security-sensitive code, and making it > available with lesser security support. I think dropping SSLv2 > support would be better.
Err.. I don't think I follow. I imagine, we'd build the SSLv2-enabled packages from the same source package and just put the binary in universe? I believe someone in another thread gave specific examples of 3rd party stuff that needed SSLv2 to function. Forcing them to compile OpenSSL themselves seems worse to me. -- Soren Hansen | Virtualisation specialist | Ubuntu Server Team Canonical Ltd. | http://www.ubuntu.com/
signature.asc
Description: Digital signature
-- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
