On Thu, Jul 7, 2016 at 7:00 PM, Glyph Lefkowitz
wrote:
> 2) How does this impact regulated industries. In healthcare (my current
> industry), changing a library (especially cryptography) could mean:
>
>- An internal review to select a new version of the library
>- An internal change mana
We're very close on the theory. My point wasn't to discourage upgrades.
Even regulated entities can and should upgrade their security libraries as
part of their annual audit cycle. My point was to promote a more
deliberate depreciation cycle with better visibility for regulated entities.
I'm not
> On Jul 7, 2016, at 4:20 PM, Clayton Daley wrote:
>
> I don't mean to jump down your throat here; the tone is definitely harsher
> than I would like, but I want it to be very clear why I have such strong
> feelings about upgrading security-critical dependencies.
>
> I don't take it personall
>
> I don't mean to jump down your throat here; the tone is definitely harsher
> than I would like, but I want it to be very clear why I have such strong
> feelings about upgrading security-critical dependencies.
>
I don't take it personally. I do a little coding (hello startup) but I'm
actually
> On Jul 7, 2016, at 2:06 PM, Clayton Daley wrote:
>
> I don't object to this specific change (we're on shiny new code), but want to
> offer some food-for-thought:
>
> 1) Is newer really better in cryptography? Heartbleed affected 1.0.1, but
> not 1.0.0 and there are a bunch of vulnerabiliti
>
> First of all, newer cryptography and newer OpenSSL are different things.
The proposal was a change to pyOpenSSL. If newer is better in all
(potentially) affected layers, then you've answered my question in the
affirmative.
> 2) How does this impact regulated industries. In healthcare (my
On Thu, 7 Jul 2016 at 23:07 Clayton Daley wrote:
> I don't object to this specific change (we're on shiny new code), but want
> to offer some food-for-thought:
>
> 1) Is newer really better in cryptography? Heartbleed affected 1.0.1, but
> not 1.0.0 and there are a bunch of vulnerabilities that
I don't object to this specific change (we're on shiny new code), but want
to offer some food-for-thought:
1) Is newer really better in cryptography? Heartbleed affected 1.0.1, but
not 1.0.0 and there are a bunch of vulnerabilities that only affect the
newer libraries (https://www.openssl.org/new
