[Twisted-Python] dropping old pyOpenSSL versions

In the past, we've been very conservative about updating to require new versions of pyOpenSSL and cryptography. Right now we have a patch, (), that I'd like to just land. However, it establishes

Re: [Twisted-Python] dropping old pyOpenSSL versions

I don't object to this specific change (we're on shiny new code), but want to offer some food-for-thought: 1) Is newer really better in cryptography? Heartbleed affected 1.0.1, but not 1.0.0 and there are a bunch of vulnerabilities that only affect the newer libraries (https://www.openssl.org/new

Re: [Twisted-Python] dropping old pyOpenSSL versions

On Thu, 7 Jul 2016 at 23:07 Clayton Daley wrote: > I don't object to this specific change (we're on shiny new code), but want > to offer some food-for-thought: > > 1) Is newer really better in cryptography? Heartbleed affected 1.0.1, but > not 1.0.0 and there are a bunch of vulnerabilities that

Re: [Twisted-Python] dropping old pyOpenSSL versions

> > First of all, newer cryptography and newer OpenSSL are different things. The proposal was a change to pyOpenSSL. If newer is better in all (potentially) affected layers, then you've answered my question in the affirmative. > 2) How does this impact regulated industries. In healthcare (my

Re: [Twisted-Python] dropping old pyOpenSSL versions

> On Jul 7, 2016, at 2:06 PM, Clayton Daley wrote: > > I don't object to this specific change (we're on shiny new code), but want to > offer some food-for-thought: > > 1) Is newer really better in cryptography? Heartbleed affected 1.0.1, but > not 1.0.0 and there are a bunch of vulnerabiliti

Re: [Twisted-Python] dropping old pyOpenSSL versions

> > I don't mean to jump down your throat here; the tone is definitely harsher > than I would like, but I want it to be very clear why I have such strong > feelings about upgrading security-critical dependencies. > I don't take it personally. I do a little coding (hello startup) but I'm actually

Re: [Twisted-Python] dropping old pyOpenSSL versions

> On Jul 7, 2016, at 4:20 PM, Clayton Daley wrote: > > I don't mean to jump down your throat here; the tone is definitely harsher > than I would like, but I want it to be very clear why I have such strong > feelings about upgrading security-critical dependencies. > > I don't take it personall

Re: [Twisted-Python] dropping old pyOpenSSL versions

We're very close on the theory. My point wasn't to discourage upgrades. Even regulated entities can and should upgrade their security libraries as part of their annual audit cycle. My point was to promote a more deliberate depreciation cycle with better visibility for regulated entities. I'm not