On Sun, Feb 03, 2008 at 05:29:47PM -0800, Russ Allbery wrote: > > I'm pretty sure I don't want to implement support for migrating the full set > > of OpenSSL cipher specs in shell. :P
> > Do you think converting the above aliases would be good enough coverage? > > Or do we need to provide some upgrade handling for all the > > possibilities, and therefore we're doomed to add yet another debconf > > error message here? In the latter case I'm probably not going to spend > > the effort on auto-migrating any of the values. > I would just comment out the cipher list directive completely on upgrade > and document the need to correct it manually if desired in NEWS.Debian. > The most common use of this directive is to restrict use of weak ciphers, > which GnuTLS doesn't support in the first place. My natural inclination here then is to still make this a debconf error message, when one of these TLSCipherSuite lines is detected. It's not nice to translators, but an untranslatable NEWS.Debian file isn't nicer to users than an untranslated debconf template anyway, and with a debconf error we can directly notify the users whose configs have had to be changed. > It is unforunate that GnuTLS doesn't support the same general keywords as > OpenSSL, and it seems like that would be easy enough for GnuTLS to add. > Maybe a wishlist bug against GnuTLS is in order? Filed as bug #464625. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
