On Sat, Nov 08, 2014 at 09:19:18PM +0000, Emilio Pozuelo Monfort wrote: > On 08/11/14 18:55, Kurt Roeckx wrote: > >On Sat, Nov 08, 2014 at 03:38:35PM +0000, Julien Cristau wrote: > >>On Sat, Nov 1, 2014 at 20:21:21 +0100, Kurt Roeckx wrote: > >> > >>>Package: release.debian.org > >>>Severity: normal > >>> > >>>Hi, > >>> > >>>SSLv3 has been disabled in jessie already, at least for normal > >>>usage. But there is a way to explictly create a socket that only > >>>support SSLv3 and I would like to disable that too. > >>> > >>No, it's much too late for this, sorry. > > > >Will you accept patches for other packages that stop using the > >SSLv3 methods? > > If the changes are sensible (e.g. not too invasive), sure. We'll consider > that in a case-by-case basis.
It depends on your defenition of invasive. They're all very simple changes, it's stopping to use functions they should never have used in the first place, and only use the SSLv23 methods instead. I've filed 2 bugs with patches about this today: #768611: pyton2.7 #768562: curl (They would fix all those RC bugs people are filing) As you can see in both patches, they're really easy. But they both have the potential to break reverse dependencies. And I want to break them, because they are broken. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
