On Thu, Jul 24, 2008 at 03:05:32PM +0200, Soren Hansen wrote: > On Wed, Jul 23, 2008 at 12:26:43PM -0700, Steve Langasek wrote: > > On Wed, Jul 23, 2008 at 02:11:05PM -0400, Mathias Gug wrote: > >> ivoks prepared patches for a couple of packages to disable sslv2 in > >> their configuration. He also sent an email on ubuntu-devel about > >> disabling sslv2 directly in the openssl package. Discussion is > >> ongoing, with a proposal to create an openssl-sslv2 package in > >> universe that would be built with sslv2 enabled. > > FWIW, I think creating an openssl-sslv2 package would be the worst > > possible solution: duplicating security-sensitive code, and making it > > available with lesser security support. I think dropping SSLv2 > > support would be better.
> Err.. I don't think I follow. I imagine, we'd build the SSLv2-enabled > packages from the same source package and just put the binary in > universe? I believe someone in another thread gave specific examples of > 3rd party stuff that needed SSLv2 to function. Forcing them to compile > OpenSSL themselves seems worse to me. Oh. That's much more sensible than the strawman I'd apparently constructed in my mind. :-) Do you have a pointer to the examples of stuff still needing SSLv2? I hadn't seen any listed on ubuntu-devel. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
