Web lists-archives.com

Re: openssl/libssl1 in Debian now blocks offlineimap?




On Tue, Aug 15, 2017 at 05:04:50PM +0200, Kurt Roeckx wrote:

> My problem is that if we don't do something, TLS 1.0 will be used
> for an other 10 year, and that's just not acceptable.

The usage of TLS in the wild does not rely on you. Neither its does to
Debian, IMHO.

Now, when talking about the users of Debian I'm fine with such
statements. Actually, I'm not a user of Debian myself for good reasons.

>                                                       So I would
> like to do something so that hopefully by the time Buster releases
> you can disable TLS 1.0 by default, and that almost no users would
> need to enable it again.

What do you mean by *you*? The users? They don't seem to have any
choice.

> Having TLS 1.0 (and 1.1) enabled by default itself is not a
> problem, it's actually using it that's a problem.

Well, there is a lot of problems in the world. Not being able to use a
protocol anymore because a maintainer decided to disable the feature can
be one of them.

>                                                   There are
> clearly still too many that don't support TLS 1.2, but it's
> getting better.

So this policy is neglecting the users needs in the hope this will force
third-parties to move...

> Disabling the protocols is the only way I know how to identify
> all the problems.

There is a gap between forcefully disabling a protocol and disabling it
with the possibility to manually re-enable it when really required.

If we even admit that the "forcefully disallow protocols for our users"
policy is a good alternative to change the world, it's well known that
all the providers won't upgrade any time soon. So, the Busters users are
taken hostage.

>                   And I would like to encourage everybody to
> contact the other side if things break and get them to upgrade.

Sure. This does not prevent from providing a plan B: manually re-enable
a "won't be supported anymore" feature.

I tend to think that in the end this is all about consideration to your
users. Of course, it's up to you to go your own way.

-- 
Nicolas Sebrecht