On 11/23/2014 06:01 AM, Jeremy Stanley wrote: > but we shouldn't > backport a patch which suddenly breaks someone's cloud because they > made a conscious decision to configure it to use SSLv3 for RPC > communication.
I'm having a hard time figuring out in which case it would make sense to do so. However... On 11/23/2014 06:01 AM, Jeremy Stanley wrote: > My point is that suggesting there's a vulnerability here without > looking at how the code is used is sort of like shouting "fire" in a > crowded theater. I agree with that point, but also with your point about anticipation of future issues. I think it would be a good idea to strengthen things, in advance of possible downgrade attacks that may occur if we keep support for SSLv3. On 11/24/2014 01:09 AM, Doug Hellmann wrote: > The only place things will be breaking is on the version of Python > shipped by Debian where the constant used to set up the validation > logic is no longer present in the SSL library. Let’s start by making > the smallest change we can to fix that problem, and then move on. Yes please! And I need this backported to Icehouse ASAP (as that's we're shipping in Jessie). At this point, I prefer to let others who are better than me at this sorts (sensitive) of patches do the work. On 11/24/2014 01:09 AM, Doug Hellmann wrote: > hat’s an easy patch for us to land, and I hope Thomas will update the > patch he has already submitted based on feedback on that review. Could someone take over my patch? :) I'm quite busy doing other things, and it isn't my role to work on such things directly. I often send a patch here and there when I see fit, but here, I don't think I'm the best person to do so. >> I don't really mind if we continue to allow it, but at least we >> should move fast to have oslo-incubator fixed. I will need to do >> something fast for Icehouse in Sid/Jessie, as we're in freeze mode. >> Best would be to have the issue resolved before the next point >> release (currently set for May 14 2015). > > Sure. See my comments on your current review for what I think we need > to do to handle the backwards-compatibility issues more clearly. > > Doug Hum... git review -d ? :) Thomas _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
