On Mon, Apr 14, 2014 at 7:40 AM, kcrisman <kcris...@gmail.com> wrote: > > > On Sunday, April 13, 2014 3:46:57 PM UTC-4, William wrote: >> >> On Sun, Apr 13, 2014 at 12:22 PM, Brian Sherson <caret...@gmail.com> >> wrote: >> > First question: Is SAGE notebook susceptible to the Heartbleed bug when >> > run >> > with secure=True? >> >> It depends. Yes... unless you have a new version of the openssl >> library. It depends a lot on how/where you built Sage and the sage >> notebook. Did you install the optional openssl sage package? >> > > Which is basically one of the affected versions - openssl-1.0.1c.p0.spkg - > Maybe we can update that spkg? Would that be pretty easy to do?
I think we should consider just deleting the openssl spkg. Let people who want ssl support install their vendor's devel library, and I think the Python in Sage will link against it when it is built. Us providing openssl at all is a little unpleasant, just because of the GPL-incompatible license (though it's legal since it's an optional package). I'm surprised to have personally not seen anything in the online discussions about heartbleed about how the openssl license is GPL-incompatible, which causes a lot of headaches. I've always been annoyed at their license choice. For a long time, we shipped GNUtls with sage (an alternative to openssl). That said, even if we plan to update it, for now I think we should delete the openssl spkg asap anyways, since it contains the vulnerability. In fact, I think that so much, I'm going to delete it from http://sagemath.org/packages/optional/ right now [...] OK, it is now gone. Wiliam -- William > > -- > You received this message because you are subscribed to the Google Groups > "sage-support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-support+unsubscr...@googlegroups.com. > To post to this group, send email to sage-support@googlegroups.com. > Visit this group at http://groups.google.com/group/sage-support. > For more options, visit https://groups.google.com/d/optout. -- William Stein Professor of Mathematics University of Washington http://wstein.org -- You received this message because you are subscribed to the Google Groups "sage-support" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-support+unsubscr...@googlegroups.com. To post to this group, send email to sage-support@googlegroups.com. Visit this group at http://groups.google.com/group/sage-support. For more options, visit https://groups.google.com/d/optout.
