Hello All, excuse my late reply.
On Thu, Nov 11, 2021 at 08:59:33AM -0500, Jim Jagielski wrote: > Wild question: Why do we even need TLS? I know, I know, that there > is this push for SSL everywhere, but really, despite what the powers > behind the "new internet" think, not all comms require TLS. +1 I can understand the importance of downloading AOO through https, as it gives an additional proof of the identity of the serving web site. But simple information such as "there is a new version" is IMHO not so important to require encryption, protection from man-in-the-middle attacks and all the other goodies of https. [...] > So we think/know that OpenSSL1.1 would NOT have that problem because it works > around the LetsEncrypt issue. Which means we have 2 options: > > 1. Stay w/ OpenSSL 1.0.2 and use the LE hack mentioned in this thread > 2. Upgrade all to OpenSSL 1.1 > > My assumption is that dropping Serf for Curl wouldn't make a difference since > both use OpenSSL > Then OpenSSL should be upgraded nevertheless! ;-) If I understood correctly, upgrading Serf would also require: 1- installing Scons. We could argue that we could ``throw our heart over the bar'' and engage into this, as it could be the (somewhat distant) future of AOO build system. 2- upgrading APR. I am a bit worried about what an APR upgrade would depend on by itself. But upgrading our dependencies should be considered A Good Thing, right? Dropping Serf could also be a good path to follow, as _lowering_ the number of our dependencies may be A Good Thing as well. But I have no idea of the effort that replacing Serf calls with equivalent Curl calls will require. I hope the above makes sense. Comments are welcome. Best regards, -- Arrigo --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
